rar - accueil | asampsa easampsa.eu/wp-content/uploads/...wp30...selection.docx · web viewthe...

ASAMPSA_EAdvanced Safety

Assessment Methodologies: extended PSA

"NUCLEAR FISSION"Safety of Existing Nuclear Installations

Contract 605001

Methodology for Selecting Initiating Events and Hazards for Consideration in an Extended PSA

Reference ASAMPSA_ETechnical report ASAMPSA_E/WP30/D30.7/2017-31 volume 2

Reference IRSN PSN-RES/SAG/2017-00017

A. Wielenberg (GRS), R. Alzbutas (LEI), M. Apostol (ICN), A. Bareith (NUBIKI), P. Brac (EDF), L. Burgazzi (ENEA), E. Cazzoli (CCA), L. Cizelj (IJS), M. Hage

(GRS), Hashimoto K. (JANSI), F. Godefroy (AREVA), M. Gonzalez (US-NRC), P. Groudev (INRNE), H. Löffler (GRS), L. Kolar (UJV), M. Kumar (LRC), M. Nitoi (INR), A. Prošek (IJS), E. Raimond (IRSN), T. Siklóssy (NUBIKI), J. Vitazkova

(CCA), A. Volkanovski (IJS)

Period covered: from 01/01/2015 to

31/12/2016

Actual submission date: 31/12/2016

Start date of ASAMPSA_E: 01/07/2013 Duration: 42 months

WP No: 30 Lead topical coordinator : A. Wielenberg then H. Löffler His organization name : GRS

Project co-funded by the European Commission Within the Seventh Framework Programme (2013-2016)

Dissemination Level

PU Public YesRE Restricted to a group specified by the partners of the No

ASAMPSA_E/WP30/D30.7/2017-31 volume 2

IRSN/PSN-RES/SAG/2017-00019 1/142



ASAMPSA_E projectCO Confidential, only for partners of the ASAMPSA_E project No


IRSN/PSN-RES/SAG/2017-00019 2/142



ASAMPSA_E Quality Assurance page

Partners responsible of the document : GRS, IRSN

Nature of document

Technical Report

Reference(s) Technical report ASAMPSA_E/WP30/D30.7/2017-31 volume 2Rapport IRSN PSN-RES/SAG/2017-00017

Title Methodology for Selecting Initiating Events and Hazards for Consideration in an Extended PSA

Author(s) A. Wielenberg (GRS), R. Alzbutas (LEI), M. Apostol (ICN), A. Bareith (NUBIKI), P. Brac (EDF), L. Burgazzi (ENEA), E. Cazzoli (CCA), L. Cizelj (IJS), M. Hage (GRS), Hashimoto K. (JANSI), F. Godefroy (AREVA), M. Gonzalez (US-NRC), P. Groudev (INRNE), H. Löffler (GRS), L. Kolar (UJV), M. Kumar (LRC), M. Nitoi (INR), A. Prošek (IJS), E. Raimond (IRSN), T. Siklóssy (NUBIKI), J. Vitazkova (CCA), A. Volkanovski (IJS)

Delivery date 2016-12-31Topical area Initiating EventsFor Journal & Conf. papers

No

Summary :

An extended PSA applies to a site of one or several Nuclear Power Plant unit(s) and its environment. It intends to calculate the risk induced by the main sources of radioactivity (reactor core and spent fuel storages) on the site, taking into account all operating states for each main source and all possible relevant accident initiating events (both internal and external) affecting one unit or the whole site. The combination between hazards or initiating events and their impact on a unit or the whole site is a crucial issue for an extended PSA.

The report tries to discuss relevant methodologies for this purpose. The report proposes a methodology to select initiating events and hazards for the development of an extended PSA. The proposed methodology for initiating events identification, screening and bounding analysis for an extended PSA consists of four major steps:

1. a comprehensive identification of events and hazards and their respective combinations applicable to the plant and site. Qualitative screening criteria will be applied,

2. the calculation of initial (possibly conservative) frequency claims for events and hazards and their respective combinations applicable to the plant and the site. Quantitative screening criteria will be applied,

3. an impact analysis and bounding assessment for all applicable events and scenarios. Events are either screened out from further more detailed analysis, or are assigned to a bounding event (group), or are retained for detailed analysis,

4. the probabilistic analysis of all retained (bounding) events at the appropriate level of detail.

Visa gridMain author(s) : Verification Approval

(Coordinator)

Name (s) A. Wielenberg H. Löffler E. RaimondDate 13.12.2016 14.12.2016 27.01.2017


IRSN/PSN-RES/SAG/2017-00019 3/142



Signature


IRSN/PSN-RES/SAG/2017-00019 4/142



MODIFICATIONS OF THE DOCUMENT

Version Date AuthorsPages or

paragraphs modified

Description or comments

Rev. 0 15/09/2014 Wielenberg All Initial version

Rev.1 21/04/2015 Wielenberg (ed.) All Garching workshop version

Rev 2 09/07/2015 Wielenberg (ed.) Sections 3 to 6

Additions to section 3, first draft of section 4, partial draft of section 5 and 6.

Rev. 3 21/09/2015 Wielenberg (ed.) Sections 3 to 6

Multi-unit considerations, diverse edits and inclusion of contributions

Rev. 4 16/10/2015 Wielenberg (ed.) Section 5.3, 6 Integration of several contributions

Rev. 5 23/10/2015 Wielenberg (ed.) Section 5.4, 5.5

Integration of contribution on IE identification

Rev. 6 Wielenberg (ed) Section 5.3, 7 Treated comments by NUBIKI, Glossary

Rev. 7 16/02/2016 E. Raimond All Report simplification. All initial ideas are kept.

Rev. 8 09/03/2016 Hage, Hashimoto, Wielenberg

Further development of simplified report.

Rev. 9 20/03/2016 E. Raimond, H. Loeffler, M. Hage Section 6 Modifications after review

Rev. 10 20/04/2016 H. Löfflerexec. summary, NRC contribution

Editorial updates in all sections

Rev. 11 05/05/2016 E. Raimond Section 5.1.3 and 5.2.11 Final format

Rev 12 10/05/2016P. Brac, R. Albuzas, F. Godefroy, E. Raimond , H. Löffler,

Sections 5.2.6, 5.2.11, 5.2.23

Complements on national activities.References in report.

Rev. 1315/10/2016 A. Prošek (ed.) All

External review version for ASAMPSA_E Final End-Users Workshop (TRACTEBEL, IRSN, JANSI, LEI, ENSI, EDF) + JSI

19/10/2016 H. Löffler summary, sect 6 and 7

introduce responsibility of authorities in screening approach

Final 13/12/2016 A. Prošek, H. Löffler, A. Wielenberg All Final consideration of

comments and final edits27/01/2017 E. Raimond Few Editorial modification


IRSN/PSN-RES/SAG/2017-00019 5/142



LIST OF DIFFUSION

European Commission (Scientific Officer)

Name First name

Organization

Passalacqua Roberto EC

ASAMPSA_E Project management group (PMG)

Name First name Organization

Raimond Emmanuel IRSN Project coordinator

Guigueno Yves IRSN WP10 coordinator

Decker Kurt Vienna University

WP21 coordinator

Klug Joakim LRC WP22 coordinator until 2015-10-31

Kumar Manorma LRC WP22 coordinator after 2015-10-31Wielenberg Andreas GRS WP30 coordinator until 2016-03-31

Löffler Horst GRS WP40 coordinatorWP30 coordinator after 2016-04-01


IRSN/PSN-RES/SAG/2017-00019 6/142

ASAMPSA_E D30.7 vol 2 Selecting Initiating Events for an Extended PSA

REPRESENTATIVES OF ASAMPSA_E PARTNERS


Mustoe Julian AMEC NNCGrindon Liz AMEC NNCPierre Cecile AREVAGodefroy Florian AREVADirksen Gerben AREVAKollasko Heiko AREVAMichaud Laurent AREVAPellisseti Manuel AREVACordoliani Vincent AREVAHasnaoui Chiheb AREXISHurel François AREXISSchirrer Raphael AREXISGryffroy Dries Bel VDe Gelder Pieter Bel VVan Rompuy

Thibaut Bel V

Jacques Véronique Bel VCazzoli Errico CCAVitázková Jirina CCABonnevialle Anne-Marie EDFBordes Dominique EDFVasseur Dominique EDFPanato Eddy EDFRomanet François EDFLopez Julien EDFGallois Marie EDFHibti Mohamed EDFBrac Pascal EDFJan Philippe EDFNonclercq Philippe EDFBernadara Pietro EDFBenzoni Stéphane EDFParey Sylvie EDFRychkov Valentin EDFCoulon Vincent EDFBanchieri Yvonnick EDFBurgazzi Luciano ENEAKarlsson Anders FKAHultqvist Göran FKAPihl Joel FKALjungbjörk Julia FKAKÄHÄRI Petri FKAHage Michael GRSMildenberger

Oliver GRS

Sperbeck Silvio GRSSerrano Cesar IECBenitez Francisco Jose IECDel Barrio Miguel A. IECApostol Minodora INRNitoi Mirela INRStefanova Antoaneta INRNEGroudev Pavlin INRNELaurent Bruno IRSNClement Christophe IRSNDuluc Claire-Marie IRSNLeteinturier Denis IRSNCorenwinder

François IRSN

Pichereau Frederique IRSNGeorgescu Gabriel IRSNBonneville Hervé IRSN


Denis Jean IRSNBonnet Jean-Michel IRSNLanore Jeanne-Marie IRSNEspargilliere Julien IRSNMateescu Julien IRSNGuimier Laurent IRSNBardet Lise IRSNRahni Nadia IRSNBertrand Nathalie IRSNDuflot Nicolas IRSNScotti Oona IRSNDupuy Patricia IRSNVinot Thierry IRSNRebour Vincent IRSNGuigueno Yves IRSNProšek Andrej JSIVolkanovski Andrija JSIAlzbutas Robertas LEIRimkevicius Sigitas LEITomas Iešmantas LEIOlsson Anders LRCHäggström Anna LRCKlug Joakim LRCKumar Manorma LRCKnochenhauer

Michael LRC

Kowal Karol NCBJBorysiewicz Mieczyslaw NCBJPotempski Slawomir NCBJVestrucci Paolo NIERLa Rovere Stephano NIERBrinkman Hans (Johannes

L.)NRG

Bareith Attila NUBIKILajtha Gabor NUBIKISiklossy Tamas NUBIKICaracciolo Eduardo RSEMorandi Sonia RSEGorpinchenko

Oleg SSTC

Dybach Oleksiy SSTCGrondal Corentin TRACTEBELClaus Etienne TRACTEBELOury Laurence TRACTEBELDejardin Philippe TRACTEBELYu Shizhen TRACTEBELMitaille Stanislas TRACTEBELZeynab Umidova TRACTEBELBogdanov Dimitar TUSIvanov Ivan TUSKubicek Jan UJVHoly Jaroslav UJVKolar Ladislav UJVJaros Milan UJVHustak Stanislav UJVProchaska Jan VUJEHalada Peter VUJEStojka Tibor VUJE

REPRESENTATIVE OF ASSOCIATED PARTNERS (External Experts Advisory Board (EEAB))


IRSN/PSN-RES/SAG/2017-00019 7/142


Name First name

Company

Hirata Kazuta JANSIHashimoto Kazunori JANSI

Inagaki Masakatsu JANSI

Yamanana Yasunori TEPCOCoyne Kevin US-NRCGonzález Michelle

M. US-NRC


IRSN/PSN-RES/SAG/2017-00019 8/142


EXECUTIVE SUMMARY

An extended PSA applies to a site of one or several Nuclear Power Plant unit(s) and its environment. It intends to calculate the risk induced by the main sources of radioactivity (reactor core and spent fuel storages) on the site, taking into account all operating states for each main source and all possible relevant accident initiating events (both internal and external) affecting one unit or the whole site. The combination between hazards or initiating events and their impact on a unit or the whole site is a crucial issue for an extended PSA.

The report tries to discuss relevant methodologies for this purpose. It includes considerations on: the existing basic approach for the identification of initiating events and hazards in PSA

(screening methodologies), the practices in countries and proposed by international standards, especially from IAEA, the appropriate risk metrics and screening thresholds to be used in the process of initiating

events and hazards selection for an extended PSA, the link between deterministic and probabilistic approaches for the selection of initiating

events, the screening of high impact events, possibly correlated, associated to a low frequency of

occurrence, but which can induce major consequences on a NPP, the specificities of hazards screening.

From these considerations, the report proposes a methodology to select initiating events and hazards for the development of an extended PSA. The proposed methodology for initiating events and hazards identification, screening and bounding analysis for an extended PSA consists of four major steps:

1. A comprehensive identification of events and hazards and their respective combinations applicable to the plant and site. Qualitative screening criteria will be applied.

2. The calculation of initial (possibly conservative) frequency claims for events and hazards and their respective combinations applicable to the plant and the site. Quantitative screening criteria will be applied.

3. An impact analysis and bounding assessment for all applicable events and scenarios. Events are either screened out from further more detailed analysis, or are assigned to a bounding event (group), or are retained for detailed analysis.

4. The probabilistic analysis of all retained (bounding) events at the appropriate level of detail.

From an industrial end-user perspective, the process must be effective enough to be able to identify rapidly key predominant hazards eligible for extended PSA analysis. This is paramount to enable industrial end-users to better focus resources and direct them to address issues that present the highest significance to NPP Risks and Safety. The report provides some envelope good practices for each step of the selection of extended PSA initiating events. From an industrial end-user perspective,


IRSN/PSN-RES/SAG/2017-00019 9/142


each step must be adapted and simplified where necessary in accordance with the responsible authorities to be effective enough to be able to identify rapidly predominant hazards eligible for extended PSA analysis.

The concluding section of the report provides summaries and recommendations on: the main qualitative and quantitative screening criteria, the structure of the whole screening process, the PSA quality, the transition from rough screening towards detailed PSA models, the link with the situations that should be practically eliminated.


IRSN/PSN-RES/SAG/2017-00019 10/142


ASAMPSA_E PARTNERS

1 Institute for Radiological Protection and Nuclear Safety IRSN France2 Gesellschaft für Anlagen- und Reaktorsicherheit mbH GRS Germany

3 AMEC NNC Limited AMEC NNC United-Kingdom

4 Ricerca sul Sistema Energetico RSE S.p.A. Italy5 Lloyd's Register Consulting LRC Sweden6 Nuclear Research Institute Rez pl UJV Czech7 Universität Wien UNIVIE Austria8 Cazzoli Consulting CCA Switzerland

9 Italian National Agency for New Technologies, Energy and the Sustainable Economic Development ENEA Italy

10 Nuclear Research and consultancy Group NRG Nederland

11 IBERDROLA Ingeniería y Construcción S.A.U IEC Spain

12 Electricité de France EDF France

13 Lietuvos energetikos institutas (Lithuanian Energy Institute) LEI Lithuania

14 NUBIKI NUBIKI Hungary

15 Forsmark kraftgrupp AB FKA Sweden

16 AREVA NP SAS France AREVA NP

SAS France

17 NCBJ Institute NCBJ Poland

18

State Scientific and Technical Center for Nuclear and Radiation Safety” SSTC Ukraine

19 VUJE VUJE Slovakia

20 NIER Ingegneria NIER Italy

22 TRACTEBEL ENGINEERING S.A. TRACTEBEL Belgium

23 BeL V BeL V Belgium

24 Institut Jozef Stefan JSI Slovenia

25

Institute of nuclear research and nuclear energy – Bulgarian Academia of science INRNE Bulgaria

26

Regia Autonoma Pentru Activatati Nucleare Droberta Tr. Severin RA Suc INR Roumania


IRSN/PSN-RES/SAG/2017-00019 11/142


27 Technical University of Sofia – Research and Development Sector TUS Bulgaria

28 AREXIS S.A.R.L. AREXIS France

29 United States Nuclear Regulatory Commission US-NRC US

30 Tokyo Electric Power Company TEPCO Japan

31 Japan Nuclear Safety Institute JANSI Japan


IRSN/PSN-RES/SAG/2017-00019 12/142


CONTENT MODIFICATIONS OF THE DOCUMENT................................................................................................................................................3

LIST OF DIFFUSION.............................................................................................................................................................................4

EXECUTIVE SUMMARY.................................................................................................................................................................6

ASAMPSA_E Partners........................................................................................................................................................................8

CONTENT...........................................................................................................................................................................................9

GLOSSARY......................................................................................................................................................................................11

1 INTRODUCTION..........................................................................................................................................................................13

2 PSA END-USERS RECOMMENDATIONS FOR SCREENING................................................................................................13

3 DEFINITIONS USED IN THE REPORT.....................................................................................................................................14

4 GENERAL METHODOLOGY FOR THE SELECTION OF INITIATING EVENTS and hazards IN AN EXTENDED PSA. 20

5 REVIEW OF EXISTING APPROACHES....................................................................................................................................22

5.1 INTERNATIONAL ORGANIZATIONS...............................................................................................................................22

5.1.1 International Atomic Energy Agency (IAEA)..............................................................................................22

5.1.2 Western European Nuclear Regulators Association (WENRA)..................................................................34

5.1.3 Organisation for Economic Co-operation and Development/ Nuclear Energy Agency (OECD/NEA).......37

5.1.4 ASME/ANS..................................................................................................................................................38

5.2 COUNTRIES...........................................................................................................................................................................40

5.2.1 Belgium........................................................................................................................................................40

5.2.2 Bulgaria........................................................................................................................................................40

5.2.3 Canada..........................................................................................................................................................42

5.2.4 Czech Republic.............................................................................................................................................45

5.2.5 France...........................................................................................................................................................49

5.2.6 Germany.......................................................................................................................................................55

5.2.7 Hungary........................................................................................................................................................62

5.2.8 Japan.............................................................................................................................................................63

5.2.9 Lithuania.......................................................................................................................................................66

5.2.10 Romania......................................................................................................................................................69

5.2.11 Russia..........................................................................................................................................................72

5.2.12 Sweden........................................................................................................................................................72

5.2.13 Slovakia......................................................................................................................................................74

5.2.14 Slovenia......................................................................................................................................................75

5.2.15 Switzerland.................................................................................................................................................76

5.2.16 United Kingdom.........................................................................................................................................76


IRSN/PSN-RES/SAG/2017-00019 13/142


5.2.17 Ukraine.......................................................................................................................................................77

5.2.18 USA............................................................................................................................................................79

5.2.19 Others..........................................................................................................................................................80

5.3 COMPARISONS OF PRACTICES AND LESSONS LEARNED........................................................................................84

5.3.1 List of IE and hazards to be considered in the screening process................................................................85

5.3.2 Area of interest around the NPP...................................................................................................................85

5.3.3 Comparison of qualitative screening criteria................................................................................................86

5.3.4 Comparison of quantitative screening criteria..............................................................................................86

5.3.5 Considerations on multi-units site................................................................................................................86

5.3.6 Considerations on correlated hazards and events.........................................................................................87

5.3.7 Conclusions..................................................................................................................................................87

6 GOOD PRACTICES FOR EXTENDED PSAS............................................................................................................................87

6.1 GENERAL CONSIDERATIONS FOR INITIATING EVENTS SELECTION....................................................................87

6.2 SCREENING CRITERIA.......................................................................................................................................................89

6.2.1 Qualitative screening criteria........................................................................................................................89

6.2.2 Quantitative screening criteria......................................................................................................................90

6.3 PLANT RESPONSE ANALYSIS, HAZARDS IMPACT ANALYSIS.................................................................................92

6.3.1 General consideration...................................................................................................................................92

6.3.2 Applicability analysis...................................................................................................................................92

6.3.3 Impact analysis.............................................................................................................................................93

6.3.4 Plant response analysis for combinations of hazards including less intense scenarios................................98

6.3.5 Bounding analysis.........................................................................................................................................98

6.4 SELECTION OF THE INDIVIDUAL INTERNAL INITIATING EVENTS TO BE CONSIDERED IN A SINGLE UNIT

PSA..............................................................................................................................................................................................100

6.5 SELECTION OF THE INDIVIDUAL INTERNAL HAZARDS SCENARIOS TO BE CONSIDERED IN A SINGLE

UNIT PSA...................................................................................................................................................................................102

6.6 SELECTION OF THE INDIVIDUAL EXTERNAL HAZARDS SCENARIOS TO BE CONSIDERED IN A SINGLE

UNIT PSA...................................................................................................................................................................................105

6.7 SELECTION OF THE COMBINED/CORRELATED HAZARDS SCENARIOS IN A SINGLE UNIT PSA..................110

6.8 SELECTION OF INITIATING EVENTS FOR MULTI-UNIT, MULTI-SOURCE PSA...................................................112

7 CONCLUSIONS..........................................................................................................................................................................117

8 LIST OF REFERENCES.............................................................................................................................................................123


IRSN/PSN-RES/SAG/2017-00019 14/142


GLOSSARY

AOO Anticipated Operational OccurrenceBDBA Beyond Design Basis AccidentBWR Boiling Water ReactorCCFF Conditional Containment Failure FrequencyCDF Core Damage FrequencyCERP Conditional Early Release ProbabilityCLRP Conditional Large Release ProbabilityDB Design BasisDBA Design Basis AccidentDBE Design Basis EarthquakeDEC Design Extension ConditionDiD Defence in DepthDOE Department of EnergyDSA Deterministic Safety AssessmentERF Early Release FrequencyFDF Fuel Damage FrequencyFMEA Failure Mode and Effect AnalysisHVAC Heating, Ventilation, Air ConditioningI&C Instrumentation and ControlIAEA International Atomic Energy AgencyIE Initiating EventISLOCA Interfacing System LOCALERF Large Early Release FrequencyLRF Large Release FrequencyLOCA Loss of coolant accidentLOOP Loss Of Offsite PowerLRF Large Release FrequencyLWR Light Water ReactorNPP Nuclear Power PlantPIE Postulated Initiating EventPRA Probabilistic Risk AssessmentPSA Probabilistic Safety Analysis or Probabilistic Safety AssessmentPSR Periodic Safety ReviewPWR Pressurized Water Reactor


IRSN/PSN-RES/SAG/2017-00019 15/142


RMF Radionuclide Mobilization FrequencyRMP Radionuclide Mobilization ProbabilityRR Research ReactorSFP Spent Fuel PoolSSC Structures, systems and componentsUHS Ultimate heat sinkWENRA Western European Nuclear Regulators Association


IRSN/PSN-RES/SAG/2017-00019 16/142


1 INTRODUCTION

An extended PSA (probabilistic safety assessment) applies to a site of one or several Nuclear Power Plant unit(s) and its environment. It intends to calculate the risk induced by the main sources of radioactivity (reactor core and spent fuel storages, other sources) on the site, taking into account all operating states for each main source and all possible relevant accident initiating events (both internal and external) affecting one NPP or the whole site. The combination between hazards or initiating events and their impact on a NPP or the whole site is a crucial issue for an extended PSA.

The identification of all initiating events, hazards (internal or external) and their combinations, which contribute to the risk induced by a NPP (or several NPPs on a nuclear site) connected to its environment, is a major task to be done during the development of an extended PSA.

The report tries to discuss relevant methodologies for this purpose. It includes considerations on: the existing basic approach for the identification of initiating events and hazards in PSA

(screening methodologies), the practices in countries and proposed by international standards, especially from IAEA, the appropriate risk metrics and screening thresholds to be used in the process of initiating

events and hazards selection for an extended PSA, the link between deterministic and probabilistic approaches for the selection of initiating

events, the screening of high impact events, possibly correlated, associated to a low frequency of

occurrence, but that can induce major consequences on a NPP, the specificities of hazards screening.

From these considerations, the report proposes a methodology to select initiating events and hazards for the development of an extended PSA.

2 PSA END-USERS RECOMMENDATIONS FOR SCREENING

At the beginning of the ASAMPSA_E project, the following recommendations were formulated during the PSA End-Users workshop in Uppsala and survey [1] on hazards screening. Three types of recommendations were defined:

Type A: most important end-users needs (for which the project should produce adequate guidance),

Type B: intermediate needs (which the project will address if possible), Type C: less important needs (not to be addressed by the project).

These recommendations are provided hereafter.


IRSN/PSN-RES/SAG/2017-00019 17/142


Recommendations related to hazards screening and modelling

19. According to the End-Users survey, existing screening guidance have to be adapted or completed for each application. ASAMPSA_E shall examine why and how to do this adaptation/complement (type A).ASAMPSA_E shall examine how to reduce heterogeneity in quantitative screening criteria (collect and examine the screening values).ASAMPSA_E shall examine which hazards must not be screened out and why.ASAMPSA_E shall comment how far the impact of the hazards must be considered in the screening out process (in case of cliff edge effect, no screening out …?).

20. ASAMPSA_E shall examine the relevance of conditional core melt probabilities and conditional containment failure probabilities (and conditional LER probability) in the screening criteria (type A).

22. ASAMPSA_E shall examine SFP accident screening practices (type A).23. ASAMPSA_E shall discuss the link between screening criteria and design basis conditions (type

A): PSA should focus on areas that are not in the design basis – example : specific

combinations like hazards + induced effects, PSA should include hazards in the design basis (useful for PSR for example).

24. ASAMPSA_E shall discuss the sum of hazards frequencies (final comparison with numerical safety target) (type B).

25. ASAMPSA_E shall examine what to do if the sciences cannot provide information for low frequencies events or extremely high uncertainties on their amplitude (type A).

3 DEFINITIONS USED IN THE REPORT

The following definitions are used in this report. Some variations may exist in comparison with other publications.

Bounding (Probabilistic) AnalysisA bounding analysis is a manifestly conservative analysis applied to initiating events, hazard, hazard scenarios or specific sequences during a PSA. “Worst-case” assumptions for the case under consideration are applied. The PSA analyst shall demonstrates that the bounding analysis covers all (known) sources of uncertainty. Bounding analysis is often the result of expert judgement but should be based on solid arguments and refer to applicable evidence.


IRSN/PSN-RES/SAG/2017-00019 18/142


The results of a bounding analysis in the context of a PSA can be a demonstration that the NPP safety functions are not degraded in some specific conditions, or a conservative value of conditional failure probability of a safety function.

ClaimA claim is an assertion by an analyst. A claim needs to be supported by arguments and can be demonstrated by evidence. For PSA, claims will be made with regard to all elements of a PSA model, including the frequency of events, their impact on the plant, the resilience of the plant, and reliability data.

Core Damage Frequency (CDF)Core damage for PSA Level 1 is commonly understood to occur if there is a significant degradation of reactor core components (like fuel rod (cladding) or control rod). The quantification for the risk metric “core damage” is always the direct frequency (or probability) of the sequence in the risk model. CDF should be defined as a subset of the FDF measure, specifically covering accidental scenarios with the potential for severe off-site releases related to the core of the reactor.

Early Release Frequency (ERF)An early release is commonly understood to cover scenarios with release to the outside of the plant or site perimeter, which happen before off-site emergency measures are effective. The quantification for the risk metric “early release” is always the direct frequency (or probability) of the sequence in the risk model. The time period for early releases should be determined based on the time needed for performing a comprehensive evacuation of the predetermined evacuation sector. The start for the “early” period of time should be consistently assigned to the declaration of a state of emergency by the responsible authority. There should be a minimum release threshold for ERF. We recommend to set such a release threshold consistent to “small” release categories (e.g. a filtered release) and consistent to thresholds for the RMF (if used). Based on these considerations, a lower threshold in the range of 1 TBq I-131 (equiv.) seems to be a reasonable approach.

External EventThe term “external event” can have several distinct meanings:

(1) External event is used synonymous to external hazard, denoting a specific category of hazards.

(2) External event is used synonymous to the first meaning of hazard event when applied to an external hazard.

(3) External event is used synonymous to hazard scenario or hazard scenario group when applied to an external hazard.

Fuel Damage Frequency (FDF)


IRSN/PSN-RES/SAG/2017-00019 19/142


A fuel damage state should be understood as a loss of integrity of fuel elements on the site, which has the potential for a severe accident, irrespective of operating state of the reactor or location of the fuel. The quantification of the FDF is always done with the direct frequency (or probability) of the sequence in the risk model. [86]

HazardThe term “hazard” has multiple specific meanings. In a general sense, a hazard refers to a situation that poses a level of threat to some valuable asset, including life, health, property, or the environment. In this report, hazard is not used in this way. Instead, a hazard is synonymous to an event with the ability to challenge the nuclear safety of the plant (i.e. cause an IE, see below) and simultaneously reduce or degrade SSC relevant for controlling the event. Moreover, there needs to be a mechanism by which the hazard either affects directly or may affect by spreading or propagation more than one specific location in the plant. When referring to specific hazards, the events are often identified with the spreading or propagation mechanism (cf. fire, flooding, earthquake). Hazards are further categorized as (cf. e.g. SSG-3 [4]):(a) Internal hazards originating from the sources located on the site of the nuclear power plant, both inside and outside plant buildings. Examples of internal hazards are internal fires, internal floods, turbine missiles, on-site transportation accidents and releases of toxic substances from on-site storage facilities.(b) External hazards originating from the sources located outside the site of the nuclear power plant. Examples of external hazards are seismic hazards, external fires (e.g. fires affecting the site and originating from nearby forest fires), external floods, high winds and wind induced missiles, off-site transportation accidents, releases of toxic substances from off-site storage facilities and other severe weather conditions.

Hazard eventThe term hazard event can have two distinct meanings:

(1) Hazard event is a specific realization of a hazard. This specific realization occurred to an installation with some specific boundary conditions and specific consequences.

(2) Hazard event is used imprecisely to denote a specific potential realization of a hazard. In this report, the term “hazard scenario” is preferred.

Hazard ScenarioThe term hazard scenario describes a potential (assumed) realization of a hazard defined by at least one characteristic parameter for the severity of hazard impact to the plant (e.g. an earthquake with peak ground acceleration (pga) of 0.5 g). The hazard scenario usually represents a whole set of similar potential realizations of the same hazard, which are bounded in impact severity by the specified assumptions (e.g. the hazard scenario applied to earthquakes with 0.25 g < pga ≤ 0.5 g). In addition, a hazard scenario may entail further specifications like boundary conditions, additional assumptions,


IRSN/PSN-RES/SAG/2017-00019 20/142


and consequential effects. Moreover, a hazard scenario may describe combinations of hazards or combinations of hazards with other (internal) events. Importantly, the hazard scenario shall be sufficiently specific so that a likelihood of occurrence can be assigned to it. In this report, hazard scenario is specifically used to describe the postulated scenario, which is assumed for investigating hazard impact and identification of triggered initiating events within a hazard PSA. Thereby, the assumed scenario is separated from the more general hazard.

Hazard Scenario GroupThe term hazard scenario group is a specification of the hazard scenario term. The hazard scenario group denotes a specific hazard scenario, which is defined with specific characteristic parameters and boundary conditions, and which is used as an enveloping scenario for several other hazard scenarios (with different characteristic parameters, boundary conditions and potentially even different hazard mechanisms). Importantly, the likelihood assigned to a hazard scenario group shall gather the likelihood of all constituent likelihoods. Moreover, it shall be enveloping or bounding in its characteristic parameters and in its boundary conditions regarding the impact on the plant for all constituent hazard scenarios. In this report, the term is used mainly to clearly designate the representative hazard scenarios arrived at after screening, impact assessment, and grouping of hazards.

Impact AnalysisA hazard or hazard scenario results in (potentially detrimental) effects on the plant and its safety. Impact analysis is the investigation of the consequential effects of a hazard or hazard scenario impacting on the plant with the assumed severity. Impact analysis identifies the affected systems, structures, and components as well as other safety provisions and determines if and to what extent plant safety is challenged. The scope and level of detail of impact analysis depends on the specific application. During hazards screening for a PSA, impact analysis is performed firstly in order to determine if plant safety is challenged by hazard impact at all, and then as part of bounding analysis for the respective hazard or hazard scenario.

Initiating Event (IE)An initiating event is an event that could lead directly to fuel damage, or the failure of containment for a radionuclide source leading to the potential mobilization of radionuclides, or that challenges normal operation in a way which requires successful mitigation using safety or non-safety systems to prevent such outcomes.

Note: This is a modified definition from SSG-3 [4] to address also the risk from spent fuel storage facilities (spent fuel pool, etc.) and other radionuclide sources. Note that core damage is a subset of fuel damage (fuel as a source of significant plant releases can be located in the reactor core, spent fuel pool, etc.). The original SSG-3 definition is “An initiating event is an event that could lead directly


IRSN/PSN-RES/SAG/2017-00019 21/142


to core damage (e.g. reactor vessel rupture) or that challenges normal operation and which requires successful mitigation using safety or non-safety systems to prevent core damage.” [4], p. 25

Initiating Event Group (IEG)An initiating event group gathers a number of initiating events into one representative enveloping (bounding) scenario. During the initiating event screening process for a PSA, analysts might decide to assign contributions from several initiating events to one IEG in order to facilitate PSA analyses. The specific initiating events assigned to one IEG should be similar in terms of transient response of the plant, success criteria for safety functions, plant configuration as well as potential consequences with respect to Level 1 and Level 2 risk metrics. The IEG sums up the frequency contributions from all IE assigned to it. The bounding conditions for the enveloping scenario representing the IEG may be unrealistic for each individual IE assigned to the IEG.

Large Release Frequency (LRF)A large release is commonly understood to be an unacceptable release of radionuclides at the plant fence or plant perimeter into the environment of the plant. The quantification for the risk metric “large release” is always the direct frequency (or probability) of the sequence in the risk model. We recommend to define the LRF metric consistently with respect to an amount of radiologically weighted radionuclides. Weighting factors can be found in the INES manual for some nuclides and in more detail in ICRP publications. We recommend to use as leading (representative) isotope I-131 if short-term consequences are of particular interest, Cs-137 if long-term (environmental) consequences are of particular interest.

Maximum ImpactThe maximum impact or maximum credible impact for a hazard or hazard scenario is the maximum load on the plant and its SSC induced by harmful hazard effects to the site. The maximum credible impact applies to the site and needs to consider both the hazard magnitude at its source and the change during its propagation to the site. PSA analysts need to make claims on maximum (credible) impact for a hazard during the hazard screening. For a lot of natural hazards, a maximum impact at the site cannot be determined independent of the occurrence frequency or exceedance frequency. In these cases, PSA analysts will have to specify a sufficiently small threshold value. It should be noted that the maximum impact is often characterized by just one maximum load parameter, but may need to be characterized by a set of load parameters.

Postulated initiated events (PIE)A postulated initiating event (PIE) is “[a]n event identified during design as capable of leading to anticipated operational occurrences or accident conditions. The primary causes of postulated initiating events may be credible equipment failures and operator errors (both within and external to the facility)


IRSN/PSN-RES/SAG/2017-00019 22/142


or human induced or natural events.” [6], p. 98. In this report, PIE is summarily used for those events analysed during deterministic safety analysis, cf. SSG-2 [3] and WENRA Reference Levels [11], [35].

Radionuclide Mobilization Frequency (RMF)RMF is defined as a loss of the design basis confinement for a source of radionuclides, leading to an unintended mobilization of a significant amount of radionuclides with the potential for internal or external release, e.g. more than 1 EBq (1018 Bq) I-131 or equivalent [87]. The threshold value and its reference radionuclide (or radionuclides) has to be adjusted to the facility under consideration and the objectives of the study. The quantification of the radionuclide mobilization frequency (RMF) is to be done by direct frequency (or probability) of the sequence in the risk model.

Representative plant response analysis for a group of initiating eventsThe initiating events group is represented by a specific scenario (representative event) with specific boundary conditions and assumptions. The representative plant response analysis develops the further progression of the scenario given the success or failure of safety provisions, safety functions, or barriers. In PSA, the final result of this analysis will be the event tree model for the initiating event group.

Risk [13])Risk is defined relative to hazards or accidents. A hazard is something that presents a potential for health, economical or environmental harm. Risk associated with the hazard is a combination of the probability (or frequency) of the hazardous event and the magnitude of the consequences. The consequences can be represented in several dimensions. A usual engineering definition of risk associated with an event i is: Risk (event i) = “the probability of an event i” x “the consequences of an event i”. [13] p. 69 after [15].

It should be noted that in this definition “hazard” is used in a broad sense and not with respect to natural or man-made hazard events.

Risk Measure and Risk Metrics (see also ASAMPSA_E D30.5)“In the context of risk measurement, a risk metric is the concept quantified by a risk measure.” [14]. The risk metric is a feature or property of the risk model like e.g. a consequence, a transition between two states of the risk model, or an indicator derived from another risk measures. The risk measure includes in addition the quantification procedure for the risk metric. Risk measures are used for the representation, discussion, and interpretation of PSA results. For risk measures like core damage frequency, conditional failure probability of a system, or basic event importance for CDF to be used, the risk model has to support the respective risk metrics. However, under the ASAMPSA_E project the two terms risk metrics and risk measures have been used without distinction. For this reason, in this report, the term risk measure will be used as a more comprehensive term even if only the risk metric


IRSN/PSN-RES/SAG/2017-00019 23/142


is meant. The term risk metric will be used if specifically the metric aspect is addressed or if there would otherwise be ambiguities.

ScreeningThe title of the present document is “Methodology for Selecting Initiating Events and Hazards for Consideration in an Extended PSA”. In the related literature and also here very often the word “screening” is used instead. Screening is the process to determine if an item is to be included in the extended PSA, the kind of treatment to follow, and the priority of the activities to be carried out (this phrase adapted from IAEA–TECDOC-1581 [105]).


IRSN/PSN-RES/SAG/2017-00019 24/142


4 GENERAL METHODOLOGY FOR THE SELECTION OF INITIATING EVENTS AND HAZARDS IN AN EXTENDED PSA

The general methodology for identifying initiating events and hazards is similar for PSA and deterministic safety assessment (DSA) practice. It is described, amongst others, in the IAEA safety requirements, e.g. SSR-2/1 for the design of NPP [2], and specific safety guides, e.g. SSG-2 on deterministic safety analysis [3] and SSG-3 on PSA level 1 [4] (cf. section 5.1.1). The basic concepts are also part of WENRA Reference Levels for existing [11] and for new reactors [35]. National regulation and guidance documents on DSA and PSA from Europe (e.g. [10], [30], [36], [37], [39], [40], [41], [42], etc.) and from America (e.g. [9], [33], [34], [43], [44], [56]) are either compatible with that basic approach or refer to the aforementioned sources. It has to be noted for example the EPRI Report 1022997 “Identification of External Hazards for Analysis in Probabilistic Risk Assessment” [65] which provides a very detailed guidance and is mentioned in the French contribution. In the ASAMPSA_E report a particular emphasis is given to IAEA documents.

The selection of a set of initiating events and hazards (internal or external) to be considered in an extended PSA is a progressive and iterative process which can include the following steps:

Selection of initiating events for the internal events PSA (one NPP, all reactor states)

- Development of an exhaustive (as far as possible) list of initiating events that can challenge the NPP safety functions,

- For each plant operating state, plant response analysis and grouping of initiating events that have a similar impact on the NPP,

- Estimation of occurrence frequency of the grouped initiating events,

- Bounding probabilistic analysis in order to select the initiating events to be considered in detail in the internal event PSA (using qualitative or quantitative screening criteria),

- A list of internal events can be justified for the internal events PSA.

Selection of hazards scenarios for internal / external hazards PSAs (with no correlations between hazards, limited to one NPP, all reactor states)

- Development of an exhaustive (as far as possible) list of internal / externals hazards which can challenge some NPP safety functions and leads to hazards scenarios,

- For each plant operating state, plant response analysis and grouping of hazards scenarios that have a similar impact on the NPP,


IRSN/PSN-RES/SAG/2017-00019 25/142


- Estimation of occurrence frequency of the grouped hazards scenarios,- Bounding probabilistic analysis in order to select the hazards scenarios to be considered in detail

in each hazard PSA (using qualitative or quantitative screening criteria),- A list of hazard scenarios can be justified for each hazard PSA.

Selection of combinations of hazards for an extended PSA (with all correlations between internal / external hazards / initiating event, limited to one NPP, all reactor states)

- Identification of the possible hazards (hazard scenarios) / internal events combinations,

- For each plant operating state, plant response analysis after grouping of combinations that have a similar impact on the NPP,

- Bounding probabilistic analysis in order to select the combinations to be considered in the extended PSA (using qualitative or quantitative screening criteria).

Selection of combinations of hazards for a site extended PSA (with all correlations between internal / external hazards / initiating event, all NPPs on a site, all reactor states)

- Definition of a list of site initial states (combination of the status of each NPP operation state),- Identification of the possible hazards (hazards scenarios) / internal events combinations,- For each site initial state of the site (NPPs) response analysis grouping of combinations that have

a similar impact on the NPPs,- Bounding probabilistic analysis in order to select the combinations to be considered in the

extended PSA (using qualitative or quantitative screening criteria).

These steps may appear beyond the existing state-of-the-art. To identify the gaps that may exist, the following chapter provides some summaries of existing national practice and international standards in this area. It was suggested to the authors of each summary to consider the following issues:

a) How to identify and quantify dependencies and correlations between different hazard or event scenarios.

b) Which (quantitative) screening criteria should be applied, which risk metrics would be suitable.

c) What constitutes and how to identify a high impact/low probability event.d) What constitutes a maximum impact?e) Need to utilize the levels of Defence in Depth (AOO, DBA, and DEC)?f) Which approaches to bounding analysis are suitable for an extended PSA and upon which

criteria a detailed probabilistic investigation and modelling can be omitted.


IRSN/PSN-RES/SAG/2017-00019 26/142


5 REVIEW OF EXISTING APPROACHES

5.1 INTERNATIONAL ORGANIZATIONS

5.1.1 INTERNATIONAL ATOMIC ENERGY AGENCY (IAEA)

The following subchapter proposes an analysis of existing IAEA publications. Many IAEA publications are important in the context of the ASAMPSA_E project.

5.1.1.1 PIE for deterministic approach

The approach for identifying initiating events and hazards as endorsed by the IAEA is described in the IAEA safety requirements, e.g. SSR-2/1 for the design of NPP [2], and specific safety guides, e.g. SSG-2 on deterministic safety analysis [3] and SSG-3 on PSA level 1 [4] (cf. section 5.1.1). It should be noted that hazards are included in the identification process for initiating events by their adverse effects on the safety of the plant. SSR-2/1 states in requirements 16 and 17 on the identification of initiating events:

1) “The design for the nuclear power plant shall apply a systematic approach to identifying a comprehensive set of postulated initiating events such that all foreseeable events with the potential for serious consequences and all foreseeable events with a significant frequency of occurrence are anticipated and are considered in the design.” [2], p. 18f

2) “All foreseeable internal hazards and external hazards, including the potential for human induced events directly or indirectly to affect the safety of the nuclear power plant, shall be evaluated. Hazards shall be considered for the determination of the postulated initiating events and generated loadings for use in the design of relevant items important to safety for the plant.” [2], p. 20f

In particular, SSR-2/1 calls for using engineering judgement and deterministic as well as probabilistic safety analysis for identifying initiating events, taking into account failures of SSCs, human error, and hazard impacts for all operating states. With respect to hazards identification, NS-R-3 defines general requirements on the scope of external events analysis [20], p. 10ff, which shall extend at least to earthquake and surface faulting, meteorological events, flooding, geotechnical hazards, and external human-induced events. For other potential events, historical data shall be investigated and applicability assessments shall be performed.

IAEA SSG-2 [3] gives more guidance on the identification of postulated initiating events. In particular, SSG-2 explains that postulated initiating events should be assigned to the categories of anticipated operational occurrences, design basis accident conditions or beyond design basis accident conditions. The assignment to these different categories should be done based on deterministic (fulfilment of safety criteria) as well as probabilistic (expected frequency of occurrence) considerations. A summary


IRSN/PSN-RES/SAG/2017-00019 27/142


is shown in Table 5-1. In addition, SSG-2 recommends a categorization of postulated initiating events by their effects with relation to the fundamental safety functions of control of reactivity, heat removal from the fuel, and confinement of radioactive material and limitation of releases. This results in a grouping of postulated initiating events into the following categories:

a) “Increase or decrease of the removal of heat from the reactor coolant system;b) Increase or decrease of the flow rate for the reactor coolant system;c) Anomalies in reactivity and power distribution;d) Increase or decrease of the reactor coolant inventory;e) Release of radioactive material from a subsystem or component.” [3], p. 6

This classification should be used as a starting point of a top-down analysis for determining potential initiating events by systematically searching for events which could lead to the respective events.

Table 5-1 Subdivision of postulated initiating events according to SSG-2, [3], p. 8

5.1.1.2 IE for PSA

SSG-3 gives recommendations for the determination of initiating events for the purpose of PSA (level 1) [4]. In particular, SSG-3 points out that different tools and approaches should be used for the identification of initiating events. SSG-3 specifically mentions [4], p. 26,


IRSN/PSN-RES/SAG/2017-00019 28/142


a) Bottom-up analysis approaches like hazard and operability (HAZOP) studies (cf. e.g. [17]) or failure mode and effects analysis (FMEA – cf. e.g. [18]), which should be systematically employed for all front line operating and stand-by systems as well as support systems;

b) Top-down analysis, e.g. master logic diagrams (cf. e.g. [7]) , for identifying failures leading to challenges of normal operation;

c) List of initiating events, either from other existing PSA or in standards and guides (including regulation on deterministic safety assessment);

d) Evaluation of operating experience events that have challenged normal operation;e) Evaluation of the plant safety analysis report and other deterministic analyses on design and

beyond design basis accidents.

By using different, proven methodological approaches, the identification process for initiating events should be as comprehensive as possible. Notably, SSG-3 does not explicitly recommend investigating potential combinations of different initiating events in light of potential dependencies between these events. This is, however, mentioned for new reactor designs [4], p. 26. In addition, consequential failures or secondary effects of an initiating event should be taken into account (see e.g. [24], p. 7, in light of internal hazards). For multi-unit sites, attention should be paid to event scenarios that affect more than one of the units, and to initiating events triggered by events or accident sequences in another unit [4], p. 27.Conceptually, hazard events should be introduced into the safety analysis by their impact on plant systems, i.e. them triggering (postulated) initiating events. According to SSR-2/1 [2], the list of initiating events should be complemented by hazard specific events, if the existing list of internal initiating events is not representative for the respective hazard scenarios1 (e.g. multiple failure scenarios). With respect to the identification of hazards for PSA, SSG-3 [4] gives further guidance. The general approach to the identification of hazards is quite similar to the approach for internal events. For both internal and external hazards, first the available relevant information on the plant and the site should be collected. Then, a comprehensive list of internal and external hazards should be produced, comprising at least internal hazards, external natural hazards and external human-induced hazards. As a starting point, SSG-3 recommends to use hazard lists in related publications and from previous (PSA) studies. In addition, SSG-3 provides a generic list of potential internal and external hazards (cf. [4], p. 155ff). Other IAEA publications on hazard analysis include [19], [22], [23], [24], [26], and [27], which give additional guidance on the scope of hazard analysis. These generic lists of hazards have to be assessed regarding applicability, relevance, and site-specific frequency of occurrence. To this end, the hazards identification has to be complemented by site and plant specific analyses [4], p. 60. The next step in the hazard identification process consists of the analysis of combinations of hazards. First, a comprehensive list of applicable hazard combinations should be drawn up, taking into account

1 On the definition of hazard scenario, see the glossary. It should be noted that it is consistent with the usage of the term “scenario” in [6].


IRSN/PSN-RES/SAG/2017-00019 29/142


potential dependencies between hazards. SSG-3 specifically mentions the following causes for dependence between hazards [4], p. 60f:

a) Common contributing factor leading to (external or internal) hazards occurring during a short time period (especially for natural hazards, e.g. weather conditions leading to high winds and strong precipitation),

b) Hazard events (whether external or internal) that are induced/triggered by a prior hazard event (e.g. tsunamis are often induced by strong earthquakes).

It should be noted that SSG-3 only discusses specific combinations of hazard events and does not specifically mention human-induced hazards. Nonetheless, there might be dependencies between human-induced hazards and specific external as well as internal hazards. Moreover, there might also be dependencies between hazard events and internal events, the most obvious example being “loss of preferred power” and a number of hazard events. Both for internal initiating events and for hazards and the combinations thereof, the next steps are conceptually similar. First, the events have to be grouped into a number of classes. The criteria for the grouping [4], p. 30 includes:

a) The transient response of the plant following the event,b) The safety systems required for the containment of the event and the respective success

criteria,c) The availability and failure of safety and support systems including I&C,d) The secondary effects and consequential failures of the event,e) The response by plant operators.

Initiating events can be assigned to a group, if they exhibit the same properties with respect to the grouping criteria2. The implications of plant operating states should be considered. For each group, a representative scenario with enveloping boundary conditions and characteristics, i.e. conservative with regard to safety analysis, has to be defined [4], p. 30. Simultaneously, the grouping should not be overly conservative, which limits the different scenarios that can be assigned to one group. It should be noted that SSG-3 does not reference the classification of event scenarios by levels of Defence in Depth for this grouping.With respect to hazards, SSG-3 assumes that the grouping is an element of the screening process. Nonetheless, the principles described for internal events should be transferred. Thereby, hazards should be grouped with regard to the triggered initiating events (including the effects of the hazards scenario on the availability of safety and support systems), if such grouping is needed to reduce the number of analysis cases. For some hazards or combinations of hazards, the introduction of subdivisions3 (amplitude / frequency) might be necessary [4], p. 63. Again, a hazard scenario consisting of enveloping boundary conditions has to be defined for each hazard group or subdivision

2 With regard to determining the frequency of occurrence, this procedure requires that all scenarios, which are combined into an initiating event group, are contributing to its frequency. 3 Subdivisions would typically be defined by ranges of hazard impact parameter(s), like e.g. peak ground acceleration between 0.1g and 0.5g.


IRSN/PSN-RES/SAG/2017-00019 30/142


[4], p.63. It should be noted that at this stage only (hazard) events and/or combinations thereof that are deemed “not applicable”4 are removed from further consideration.For deterministic analysis purposes, it is usually sufficient to define suitable limiting cases, taking into account the general applicability of the events and/or their combinations for anticipated operational occurrences, design basis accidents, and beyond design basis accidents/design extension conditions [3], p. 6. To this end, the frequency of occurrence of the relevant scenario has to be determined at least qualitatively, if the criteria in Table 5-1 are applied. For the purposes of PSA, a more elaborate screening process might be needed. Following SSG-3, if initiating events/event groups are removed from further analysis, this has to be based on screening criteria, which ensure scenarios potentially important to the risk of the plant are not excluded [4], p. 29.For hazard events, SSG-3 recommends the following systematic screening approach [4], p. 61f.

a) Dependent on the intensity of the hazard, no initiating event will be triggered,b) The scenario develops slowly, there is sufficient time to control the event, adverse

consequences are very unlikely,c) The hazard scenario can be subsumed into another hazard (group),d) The hazard scenario has a significantly lower frequency of occurrence than other hazards,

which lead to similar or worse consequences; simultaneously, the uncertainty of the frequency estimation is not significant for the risk assessment.

There are no statements as to how screened out initiating event and hazard scenarios, especially by items c) and d), should be treated with regard to their potential contribution to PSA results and/or probabilistic safety targets. A consistent approach would be to add their contribution to the enveloping event scenario frequency of occurrence.The screening should at least initially be based on maximum impact [4], p. 63 (i.e. intensity). If a hazard cannot be screened out based on this maximum impact, sometimes a subdivision of the hazard into different subcategories related to hazard intensity is needed [4], p. 63. SSG-3 explicitly mentions that the removal of a hazard scenario5 from further consideration does not imply that combinations with other hazards could be summarily removed [4], p. 64.While SSG-3 gives no quantitative recommendations on screening criteria thresholds, it emphasizes that screening threshold criteria should be commensurate to the purpose of the PSA [4], p. 29, and the core damage frequency (target) for the plant from hazards6 [4], p. 62. Moreover, SSG-3 highlights that screening criteria should prevent low frequency but high impact events to be screened out [4], p. 64. Finally, SSG-3 cautions that the screening process might need to be revisited for specific applications [4], p. 30. SSG-4 on PSA level 2 explains that the PSA level 2 requirements will influence and might 4 SSG-3 gives no clear definition of “not applicable” for this purpose. If it is physically impossible for an event to occur at a plant/site, this is clearly fulfilled. In some cases, however, the likelihood of the phenomenon to significantly affect the plant is merely judged to be very small (i.e. not reasonably possible). In this latter case, combinations with other (hazard) events would need to be removed from further consideration separately (see [4], p.64). 5 If there are subcategories for the hazard event, this applies to them as well.6 SSG-3 does not make a similar same statement for internal events. However, the PSA results and/or target should be taken into consideration for the whole screening process.


IRSN/PSN-RES/SAG/2017-00019 31/142


change the definition of plant damage states and thereby the accident sequence analysis [28], p. 18. This is underscored again with respect to PSA level 2 for hazards scenarios [28], p. 22. Since the end states of the PSA (whether level 1 or level 2) constitute a boundary condition for the screening process, it follows that PSA level 2 requirements might influence the initiating event selection process7.In order to perform quantitative screening for a specific scenario, the respective frequency of occurrence needs to be determined. For internal events (and hazards), the frequency determination should be based to the extent feasible on operating data according to SSG-3 [4], p. 48 and p. 83. Moreover, expert judgement can be used, if justified [4], p. 48. For external hazards, frequency determination is by necessity specific to the hazard scenario and to the plant. SSG-3 gives some general guidance on the frequency estimation of hazard events [4], p. 98ff. In particular, frequency estimations should take into account “recent available data, site specific information, and as-built and as-operated plant conditions” [4], p. 98, and use state-of-the-art methodology. There are no specific recommendations as to how to determine the frequency of occurrence for combinations of (hazard) events in SSG-3.Hazard specific guides of the IAEA ([19], [22], [23], [24], [25], [26], and [27]) give more detailed guidance on suitable methods for hazard screening, the determination of hazard frequencies of occurrence, and e.g. the derivation of intensity/frequency curves. Insights relevant for hazards identification and screening for the purpose of PSA are briefly summarized in the following.

NS-G-1.5 [22] discusses external events, except for earthquake hazard, with regard to the design of nuclear power plants. From the deterministic side, the guide recommends to define design basis external events (DBEE) and subsequently classify safety features by external events. While NS-G-1.5 states that combinations with independent events should not be investigated “unless a combination of these events is shown to have a sufficiently high probability of occurrence“ [22], p. 13, current practice would stress the importance of actively looking for combinations with relevant probabilities. With regard to PSA, the guide recommends that “[p]robabilistic evaluations should be carried out for the definition of suitable design combinations between external events and internal accidents, addressing both their potential correlation and their joint probability [22], p. 13. Moreover, NS-G-1.5 mentions the potential impact of (long term) loss of Ultimate Heat Sink, (long term) loss of off-site power supply, potentially adverse conditions to performing corrective measures or providing back-up facilities, implication of the long duration of events, and the simultaneous challenge to multiple levels of defence in depth.For the selection of hazards (i.e. hazard scenarios), NS-G-1.5 [22] recommends determining credible events based on deterministic as well as probabilistic methods, the latter being understood determining hazard (frequency of occurrence) curves. The application of screening values should be consistent to other screening values. NS-G-1.5 [22], p. 21, specifically emphasizes the relationship of frequency of hazard screening thresholds to PSA risk metrics

7 While not discussed in SSG-4, the initiating event screening for an extended PSA could be done in light of PSA level 2 risk metrics, which might be appropriate for high impact events.


IRSN/PSN-RES/SAG/2017-00019 32/142


(e.g. core damage frequency) and implicit assumptions about the reliability of safety measures. Moreover, the need for consistency to siting analyses is underlined.NS-G-1.5 [22], p. 23ff, gives guidance on the definition of a hazard scenario (for deterministic analyses) and discusses how the boundary conditions for hazard scenarios should be chosen. The recommendations to consider affected plant locations, affected safety functions (e.g. by consequential failures), and related loads to SSC can be transferred for hazards scenarios for probabilistic analyses as well. For specific hazards and the determination of their frequency of occurrence, NS-G-1.5 [22] mostly refers to NS-G-3.1 [19] for human-induced events, NS-G-3.5 (superseded by SSG-18 [26]) for flooding, NS-G-3.5 for meteorological events (superseded by SSG-18 [26]), and Provisional Safety Standards Series No. 1 for volcanism (superseded by SSG-21 [27]). Specific aspects of each case see below.

SSG-9 [25] treats seismic hazards for nuclear installation. Different seismic mechanism (ground motion, fault displacement and related phenomena like liquefaction, subsidence, etc.) are mentioned. SSG-9 [25] p. 7ff recommends as a starting point for seismic hazard determination a thorough investigation of the site and its vicinity (regional and near regional) using geological, geotechnical, geophysical, hydrological and other methods to get a good understanding of the site properties. Moreover, the paleoseismic record of the site and its vicinity (earthquake catalogue) needs to be determined. The information should be put into a seismological database for the site [25], p. 12ff. Therewith, a regional seismotectonic model [25], p. 15ff, should be developed, which encompasses all identified, relevant seismogenic structures and allows for diffuse seismicity. Seismogenic structures need to be properly characterized with respect to the model parameters (at least the applicable maximum magnitude and attenuation relationships), together with estimations of related uncertainties. The scope and level of detail of the model depends on available data and scientific understanding of the seismogenic properties of the site. For probabilistic analyses, seismic hazard frequency curves have to be derived from the aforementioned model, usually given by frequency of exceedance for the relevant magnitude of impact parameter. SSG-9 gives related guidance for ground motion hazard curves, which are often based on peak ground acceleration or response spectrum, and the amplitudes and duration of the earthquake shock.8 At least for PSA purposes, alternative seismotectonic models should be included in uncertainty assessments.Thereafter, SSG-9 gives specific recommendation on probabilistic seismic hazard analysis [25], p. 26f. With regard to identification of events, SGG-9 points out that frequency values for screening out seismic impact scenarios can be very low (e.g. 10-8 per year) depending on the purpose of the PSA and the overall CDF (or LRF) of the plant. Correspondingly, the validity of the database and related hazard frequency models, which might be biased and come with

8 Not explicitly mentioned in SSG-9 are other seismic phenomena directly affecting the site, like fault displacement, liquefaction, subsidence, etc., for which similar frequency and/or conditional probability curves should be generated.


IRSN/PSN-RES/SAG/2017-00019 33/142


large uncertainties, should be assessed. At a minimum, seismic hazard frequency determination should include

o a seismotectonic model with all relevant sources, their boundaries and distances for the site, including respective uncertainties,

o for each seismic source a characterization in terms of maximum magnitude, seism frequency, magnitude-frequency relationship and related uncertainties,

o selection of appropriate attenuation relationships,o consideration of the site response as appropriate, ando integration over all sources and contributions.

The hazard frequency distributions need to be connected, like in design basis analysis [25], p. 32ff, to appropriate response spectra, phase and coherence relationships as well as duration of seisms.In addition, SSG-9 [25], p. 29ff, emphasizes the potential relevance of capable faults at or near the site in light of the effects of (surface) fault displacements. On probabilistic fault displacement analysis, the basic approach described above should be followed. For each relevant fault, the displacement vs. frequency distribution should be determined.

SSG-18 [26] is dedicated to the groups of meteorological and hydrological hazards. They are discussed together since they are often related. The guide specifically covers “those associated with wind, water, snow, ice or hail, wind driven materials; extreme water levels (high and/or low) around or at the site; dynamic effects of water (e.g. waves, tsunamis, flash flooding); extreme air temperature and humidity; extreme water temperature; and extreme groundwater levels” [26], p. 5. For these hazard groups, important phenomena are presented, their potential impact on the hazard assessment is discussed.With respect to probable maximum impact, SSG-18 specifically states that these terms are not defined probabilistically, i.e. by reference to a frequency of exceedance [26], p. 9f. However, SSG-18 only gives a working definition of maximum probable impact in case this is defined by existing physical limits on variables of interest (possibly from site characteristics like topology) [26], p. 10. SSG-18 continues with specific advice on the data gathering and data evaluation for meteorological and hydrological hazards. Importantly, SSG-18 points out that measured data with extreme value statistics can only support frequency of exceedance evaluations that is commensurate to the observation period; a factor of about 3 between the observation period and the inverse frequency9 is deemed appropriate. For extreme events, measured data should be complemented by historical data, anecdotal reports, and paleogeological information, as applicable. The latter is specifically recommended for hydrological hazard events like flooding or tsunami.

9 SSG-18 used the term “return period”. Since one recommendation of the ASAMPSA_E project is to discourage the use of “return period” when referring to non-periodic events, the term “inverse frequency” is used instead, while frequency is understood to designate an “annual probability”.


IRSN/PSN-RES/SAG/2017-00019 34/142


SSG-18 recommends using deterministic, statistical and probabilistic hazard analysis approaches complementarily to perform hazard assessments. For statistical approaches, extreme value statistics of measured data in conjunctions with uncertainty and sensitivity analysis are recommended. With regard to probabilistic hazard assessment, SGG-18 gives specific recommendations on the following fields.

o Still water elevation,o Wind-generated waves,o Earthquake-induced tsunamis (and some remarks on land-slide induced tsunamis),o Peak river discharges (Flooding level).

Especially for statistical and probabilistic approaches, the time-dependent statistical characteristic of data should be taken into account, i.e. changes over time should be considered when deriving current and future hazard frequencies. This pertains e.g. to the effects of climate change, but also to changes in topography, the drainage basin, water networks, including man-made changes, and land-use [26], p. 90ff.SSG-18 gives specific recommendations on design basis parameters for meteorological and hydrological hazards, stating specific parameters of interest for these cases [26], p. 78ff. The correlation between certain meteorological and hydrological events (e.g. precipitation and flooding) needs to be addressed. The importance of analysing the (near-) simultaneous impact of correlated phenomena (hazards) is underlined, but no specific methods are identified. Instead, “combinations of events should be carefully analysed with account taken of the stochastic and non-linear nature of the phenomena involved as well as any regulatory requirements or guidance applicable for such cases.” [26], p. 80. SSG-18 specifically cautions that the frequency of exceedance estimations should consider the duration of occurrence, the degree of dependence, and also the potential combined impact on the plant, employing a considerable amount of engineering judgement. For design basis parameters, either a maximum probable impact (see above) or a target annual frequency of exceedance needs to be established. For combination of hazard events (or phenomena), a limiting annual frequency of exceedance needs to be established, which then allows for the exclusion of combinations from further consideration in the design for the following reasons.

o “The postulated combination does not produce a combined effect on some part of the plant.

o The annual frequency of exceedance for the combined event is equal to or less than the established limit for the acceptable annual frequency of exceedance.

o The combination is not physically possible.” [26], p. 81Subsequently, SSG-18 provides advice on specific combination, which should be considered. These include wind wave activities for all flood events, similarly shoreline instability, jamming due to debris and flotsam, and ice effects in case of flooding.SSG-18 is restricted to the determination of the design envelope for hazard events and hazard events combinations, i.e. specific hazard event scenarios. The connection to triggered internal


IRSN/PSN-RES/SAG/2017-00019 35/142


initiating events (PIE) is not elaborated on. Similarly, there is no specific advice on determining beyond design basis hazard scenarios, which would be of interest for PSA Level 1 and Level 2 investigations. The assumption would be that results of the hazard assessments for design basis events should be used also for beyond design basis frequency of exceedance determination, with hazard scenarios determined based on plant impact on capabilities of protective measures. Regarding the latter, SSG-18 gives some recommendations [26], p. 83ff. Importantly, SSG-18 highlights monitoring and warning systems for meteorological and hydrological hazards [26], p. 92ff, which have to be taken into account in bounding analyses for PSA.

SSG-21 [27] treats volcanic hazard assessment, especially in the context of siting, since potential volcanic hazard impact is usually an exclusion criterion and sources of volcanic activity are usually well-known. The guide elaborates a number of volcanic phenomena10, which might affect a site (and plant), for which recommendation on deterministic and probabilistic approaches for determining design basis limit parameters are given [27], p. 38ff.

o Tephra fallout: Parameters like credible thickness for fallout deposits or grain size distribution, dependent on sources, magnitude of eruptions, distance and meteorological conditions. Simulation models might be required.

o Pyroclastic flows: Parameters like pyroclastic density current and runout distance. Simulation models might be required. Exclusion criterion.

o Lava flows: Parameters like path of lava flow. Exclusion criterion.o Debris avalanches and landslides: Parameters like flow path, velocity. Exclusion

criterion.o Debris flows, lahars, and floods: Parameters like flow path or discharge rate (models

from SSG-18 are applicable), dependent on possible sources, topography, etc. Since these are exclusion criteria in siting, in principle, because of high discharge rates, flow velocities, and short warning times, only effects from far-away sources should be relevant to NPP.

o Opening of new vents: Parameter like distance, also in relation to other hazard volcanogenic phenomena. Exclusion criterion.

o Missiles: Parameters like missile range vs. missile mass, dependent on sources (explosivity of eruption). Exclusion criterion, but see tephra.

o Volcanic gases: Parameters like extreme gas concentrations. Since NPP should be located outside the zone of influence of volcanic gases due to other exclusion criteria and other potential impacts, this should not be relevant to NPP. However, note phenomena like massive emissions of CO2 from crater lakes like at Lake Nyos in 1986.

10 As pyroclastic flows, lava flows, debris impact and landslides, lahars, opening of vents, missiles, volcanogenic tsunamis and flooding, ground deformation, and groundwater anomalies are exclusion criteria during siting [27], p. 8f, and as areas affected by such activities are rather well known, NPP should be located outside of the zone of influence of such phenomena. They should, therefore, not be relevant for an extended PSA for an NPP.


IRSN/PSN-RES/SAG/2017-00019 36/142


o Tsunamis and seiche: Parameters like tsunami run-up height (cf. also SSG-18 and SSG-9). The risk of significant and long-distance volcanogenic tsunamis from slope collapse or underwater eruptions has to be evaluated. This might require simulations.

o Atmospheric phenomena and explosions: For example parameters like lightning strike. NPP should be located outside the zone of influence of such phenomena due to other exclusion criteria.

o Ground deformation: Parameters like ground displacement. Exclusion criterion (but cf. SSG-9).

o Volcanogenic earthquakes: Refer to SSG-9 [25]. o Hydrothermal systems and groundwater anomalies: Parameters like distance from

phenomena. Exclusion criterion. The guide further recommends producing a comprehensive, site-specific volcanic hazards model, which specifically considers combined effects of (correlated) volcanic phenomena, and combinations with non-volcanic (hazard) events like seismic or meteorological events [27], p. 58f. The guide gives no specific recommendation on the determination of beyond design basis events or related frequency of exceedance values, which would be relevant for PSA Level 1 and Level 2. Furthermore, the connection to triggered internal initiating events (PIE) is not elaborated on. However, only some volcanogenic hazards like tephra fallout or volcanogenic tsunamis and potentially lahars may be relevant for extended PSA due to their potential for long-distance effects.With respect to screening limits, SSG-21 recommends using a screening limits for annual frequency of a (specific) volcanic hazard event (considering the different phenomena of volcanic activity) of 10-7 per year. This is consistent with the guide’s recommendation to classify areas as potentially active volcanic zones if (relevant) volcanic activity has occurred within the last 10 Ma [27], p. 9f, p. 31ff.Finally, SSG-21 highlights the importance of monitoring systems (if applicable) and inclusion of hazard impact in emergency planning (if applicable) [27], p. 63ff.

NS-G-1.7 [23] gives advice on design against internal fires and explosions. Relevant for this report are the recommendations that all fire and explosion sources shall be systematically investigated. Fire events shall be “postulated wherever fixed or combustible material is located”, with one fire at a time, for all operating states [23], p. 4. Explosion event should be “identified for fire compartments, fire cells and other locations”, considering “flammable gases and liquids and combustible materials” relevant for chemical explosions, physical explosions (e.g. due to high energy arching faults), and explosions induced by fire exposure [23], p. 8. Secondary effects of fire [23], p. 14ff, p. 33ff and consequences of explosions [23], p. 8, shall be considered, including the triggering of the one by the other [23], p. 9. The potential impact of external fires as well as lightning impact is mentioned. In addition, the secondary effects of fire extinguishing systems should be analysed as well [23], p. 14, p. 20ff. The effect of ventilation systems, both on the spreading of fire and its secondary effects as well as for the


IRSN/PSN-RES/SAG/2017-00019 37/142


spreading of explosion hazards (e.g. flammable gases) needs to be taken into account. The guidance explicitly recommends looking into fire (and explosion) events that happen simultaneously with other (internal) initiating and using probabilistic arguments for the exclusion from further consideration in the design envelope. For PSA analysis of fire events, IAEA Safety Reports Series No. 10 [85] is referenced. This, in turn, is basically superseded by SSG-3 [4], especially regarding Fire PSA screening, but includes still valid recommendations for internal fire PSA.

NS-G-1.11 [24] discusses internal hazards not treated in NS-G-1.7 [23]. The guide recommends a comprehensive identification and screening process for internal hazards, possibly making use from probabilistic analyses [24], p. 11. Moreover, the guide explicitly highlights the importance of secondary effects and cascading effects from internal hazards, including e.g. secondary missiles, falling objects, high energy parts failures, flooding, chemical reactions, fire, electrical damage, electromagnetic interference [24], p. 7ff, failure of structural elements [24], p. 25, effects of pipe whip and jets [24], p. 29ff. It should be noted that these effects can e.g. be triggered by external hazard impact as well, and are thus relevant to plant impact assessment and bounding analysis. NS-G-1.11 specifically mentions that probabilistic screening values are set by regulators and decision-makers based on what risk is deemed acceptably small [24], p. 6.

NS-G-3.1 [19] provides recommendations on external human-induced events. Regarding the investigation of hazards, the guide recommends a comprehensive approach to gathering data on potential hazard sources for potentially hazardous impacts due to “air pressure wave and wind, projectile impact, heat (fire), smoke and dust, toxic and asphyxiant gases, chemical attack by corrosive or radioactive gases, aerosols or liquids, shaking of the ground, flooding or lack of water, ground subsidence (or collapse) and/or landslide, electromagnetic interference, eddy currents into the ground” [19], p. 7f. Moreover, NS-G-3.1 explicitly mentions that different sources will often lead to a combination of impacts and possibly multiple initiating events [19], p. 8ff. For screening, the guide recommends to use frequency screening after the initial applicability screening. The screening probability level for deterministic studies should be set by the regulator, but values of 10 -7/a are mentioned for new NPP [19], p. 16f. For impact assessment, this should be complemented by a screening distance value (SDV). If the plant is outside of the SDV for the source, the maximum impact affecting the plant would not pose a challenge to plant safety (i.e. trigger an event). If events cannot be screened out based on frequency screening or (maximum) impact assessment, the guide recommends a more detailed assessment [19], p. 20f. Furthermore, [19] provides specific recommendations on identification, screening and (deterministic) assessment of aircraft crash, release of hazardous fluids, explosions, and events such as fires, ship collisions, or electromagnetic interference. With regard to probabilistic assessments, there are only some specific recommendations on the determining of hazard frequencies.


IRSN/PSN-RES/SAG/2017-00019 38/142


At this stage, the initiating event selection process has determined the list of scenarios that should be investigated, because they cannot be screened out. It can be noted that the overall approach is quite comprehensive and in line with the stated goals for an extended PSA.

The next step in a PSA consists of (probabilistic) bounding analyses for the respective scenarios in order to decide whether a more detailed probabilistic modelling is merited or not. SSG-3 mentions this explicitly for hazard events [4], p. 98, but not for internal events11. In bounding analysis, the safety features of the plant are taken into consideration in a simplified manner for the event scenario under investigation. Using the available information on safety system availability ([4], p. 65ff & p. 91f) and engineering judgement, e.g. the conditional core damage probability (or an upper limit) is estimated in a conservative way [4], p. 66 & p. 91f. Thus, an upper limit for the contribution of the hazard scenario to the PSA results12 is arrived at. If the bounding analysis demonstrates that contributions from the respective scenario are not significant with relation to other (similar) scenarios, a more detailed probabilistic model is not required. Nonetheless, SSG-3 cautions that (at least) the cumulative contribution from bounding analysis should be “retained in the final results of the Level 1 PSA”13 [4], p. 91.The use of bounding analysis is seen as an important step for limiting the resources needed for a PSA.

5.1.1.3 Fault Sequence Analysis Method

In response to the Fukushima Dai-ichi accident, IAEA has developed the Fault Sequence Analysis Method. While that method is not reflected in official guidelines of the agency, it nonetheless merits some further discussion. The approach [67], [68] uses existing PSA models (event & fault trees for internal events, basic events, etc.) and processes the minimum cut set list(s) determined for specific (internal) events. Then, the analyst has to assign to each element in the list of PSA components (i.e. basic events, initiating events, and possible logical switches) and for each hazard under consideration a threshold value, at which the component is assumed to be disabled or malfunctioning. For initiating events, the respective event is triggered. Conceptually, these threshold values should be taken from the design basis of the plant for the respective systems, structures and components.In the following step [67], [68], the analyst can then vary the hazard impact for each hazard in the matrix. The analysis tool will determine all components, for which at least one hazard impact exceeds the threshold values. Related basic events will be set to unavailable in the cut set list. If all elements of at least one cut set in the list are established as failed, then it will be assumed that the scenario could

11 Conservative (simplified) approaches to the modelling of the plant response have been used in PSA not only for initiating events but in the development of accident sequences as well. If the likelihood of a failure sequence is very small, it might be treated conservatively as e.g. “core damage” even if there would be further resources available to control the scenario.12 SSG-3 only mentions core damage frequency as risk metric. The screening should apply the risk metric(s) that have been selected for the purpose of the PSA. For a PSA level 2, this could relate e.g. to a total release risk metric, for a PSA level 3, it could relate e.g. to the long-term loss of land due to contamination.13 While this statement in SSG-3 is only made with reference to external hazards, it is implied in the internal hazards section and should be applied for internal events.


IRSN/PSN-RES/SAG/2017-00019 39/142


not be controlled by the safety systems. By systematically varying the impact magnitudes for each considered hazard (in steps), it is possible to determine so called “limiting extreme events” [67] (including combinations of hazard event impacts).With respect to PSA, this method at least allows for some evaluation of plant behaviour in case of hazard impact and particularly of multiple hazard impact. It could therefore be considered e.g. for support in hazard impact and bounding assessments within an extended PSA. However, the method provides assistance neither on hazard frequency determinations, nor on (quantitative descriptions of) correlations of hazards, nor on detailed hazard impact and plant response modelling.

5.1.2 WESTERN EUROPEAN NUCLEAR REGULATORS ASSOCIATION (WENRA)

A principal aim of the Western European Nuclear Regulators’ Association (WENRA) is to develop a harmonized approach to nuclear safety within the member countries. One of the major achievements was set of safety reference levels (RLs) for operating nuclear power plants (NPPs). The RLs are agreed by the WENRA members. They reflect expected practices to be implemented in the WENRA countries. For some of the issues highlighted by the RLs specific guidance was also developed by WENRA.Since then, the construction of new nuclear power plants has begun or is being envisaged in several European countries, WENRA developed also safety objectives for new nuclear power plants. In the following paragraphs are presented the specific PSA aspects included into:

Safety of new NPP designs, Safety reference levels for existing reactors, Existing guidance for safety reference levels.

A. Safety of new NPP design

Report - Safety of new NPP designs, March 2013

The report presents WENRA safety expectations for the design of new NPPs. A Generic list of External Hazard is also provided in this document.Some important items related to the external hazards are:The safety assessment for new reactors should demonstrate that threats from external hazards are

either removed or minimized as far as reasonably practicable. This may be done by showing that all

relevant SSCs required to cope with an external hazard are designed and adequately qualified to

withstand the conditions related to that external hazards.

External Hazards considered in the general design basis of the plant should not lead to a core melt

accident. Accident sequences with core melt resulting from external hazards which would lead to early

or large releases should be practically eliminated. For that reason, rare and severe external hazards,


IRSN/PSN-RES/SAG/2017-00019 40/142


which may be additional to the general design basis, unless screened out, need to be taken into

account in the overall safety analysis.

For new reactors external hazards should be considered as an integral part of the design and the level

of detail and analysis provided should be proportionate to the contribution to the overall risk.

The first step in addressing the threats from external hazards is to identify those that are of relevance

to the site and facility under consideration. Any identified external hazard that could affect a facility

should be treated as an event that can give rise to possible initiating events.

The list of external hazards to be considered should be as complete as possible and include all of the

hazards mentioned in the relevant IAEA sources. These sources have been combined to produce a

consistent and coherent list which is included in the end of this section. This generic list is a starting

point and it is expected that it would be augmented by any site specific hazards not included. The

overall demonstration should include justification that the list (generic + site specific) is complete and

relevant to the local site.

Screening is used to select the External Hazards that should be analysed. The screening process

should take as a starting point the complete list discussed in the previous section. Each external

hazard on the list should be considered and selected for analysis if:

a. It is physically capable of posing a threat to nuclear safety, and

b. the frequency of occurrence of the external hazard is higher than pre-set criteria.

The pre-set frequency criteria may differ depending on the nature of the analysis that is to be

undertaken. Typically for the general design basis, where the analysis will be done using traditional

conservative methods, assumptions and data, the criterion will be higher than the frequency criteria

used for analyses of rare and severe external hazards or PSA that could employ realistic, best estimate

methods and data. Therefore the screening process may lead to separate, but compatible lists of

external hazards for the range of analyses to be undertaken and there should be a clear and

consistent rationale for the differences in the lists. In all cases the pre-set frequency criteria used

should be stated and justified taking into account the way the hazards are going to be analysed in the

safety demonstration. The degree of confidence of the estimated frequency of occurrence should be

stated and justified taking into account the related uncertainties according to the state of knowledge.

The screening process should explicitly consider correlated events and combinations of events.

The external hazards analysis includes the design of SSCs which are relevant to ensuring that the

fundamental safety functions are fulfilled, development of probabilistic models where necessary, and

the consideration of rare and severe external hazards. [35]

B. References levels for existing reactors and associated guides

1. Report - Safety Reference Levels for Existing Reactors, September 2014

The document presents WENRA safety expectation related to the exiting reactors. The relevant issues for extended PSA are the following:


IRSN/PSN-RES/SAG/2017-00019 41/142


Issue F: Design Extension of Existing Reactors

A set of DECs shall be derived and justified as representative, based on a combination of deterministic

and probabilistic assessments as well as engineering judgement.

The selection process for DEC A shall start by considering those events and combinations of events,

which cannot be considered with a high degree of confidence to be extremely unlikely to occur and

which may lead to severe fuel damage in the core or in the spent fuel storage. It shall cover:

Events occurring during the defined operational states of the plant;

Events resulting from internal or external hazards;

Common cause failures.

Where applicable, all reactors and spent fuel storages on the site have to be taken into account.

Events potentially affecting all units on the site, potential interactions between units as well as

interactions with other sites in the vicinity shall be covered.

The DEC analysis shall reflect insights from PSA level 1 and 2.

The design extension conditions shall regularly, and when relevant as a result of operating experience

and significant new safety information, be reviewed, using both a deterministic and a probabilistic

approach as well as engineering judgement to determine whether the selection of design extension

conditions is still appropriate.

Issue O: Probabilistic Safety Analysis (PSA)

For each plant design, a specific PSA shall be developed for level 1 and level 2, considering all relevant

operational states, covering fuel in the core and in the spent fuel storage and all relevant internal and

external initiating events. External hazards shall be included in the PSA for level 1 and level 2 as far as

practicable, taking into account the current state of science and technology. If not practicable, other

justified methodologies shall be used to evaluate the contribution of external hazards to the overall

risk profile of the plant.

PSA shall be used to support safety management. The role of PSA in the decision making

process shall be defined.

PSA shall be used to identify the need for modifications to the plant and its procedures,

including for severe accident management measures, in order to reduce the risk from the

plant.

PSA shall be used to assess the overall risk from the plant, to demonstrate that a balanced

design has been achieved, and to provide confidence that there are no "cliff-edge effects".

PSA shall be used to assess the adequacy of plant modifications, changes to operational limits

and conditions and procedures and to assess the significance of operational occurrences.

Insights from PSA shall be used as input to development and validation of the safety significant

training programmes of the licensee, including simulator training of control room operators.

The results of PSA shall be used to ensure that the items are included in the verification and

test programmes if they contribute significantly to risk.


IRSN/PSN-RES/SAG/2017-00019 42/142


Issue S: Protection against Internal Fires

The fire hazard analysis shall be complemented by probabilistic fire analysis. In PSA level 1, the fires

shall be assessed in order to evaluate the fire protection arrangements and to identify risks caused by

fires.

Issue T: Natural Hazards

Natural hazards shall be considered an integral part of the safety demonstration of the plant (including

spent fuel storage). Threats from natural hazards shall be removed or minimised as far as reasonably

practicable for all operational plant states. The safety demonstration in relation to natural hazards

shall include assessments of the design basis and design extension conditions with the aim to identify

needs and opportunities for improvement.

All natural hazards that might affect the site shall be identified, including any related hazards (e.g.

earthquake and tsunami). Justification shall be provided that the compiled list of natural hazards is

complete and relevant to the site.

Natural hazards shall include:

Geological hazards;

Seismotectonic hazards;

Meteorological hazards;

Hydrological hazards;

Biological phenomena;

Forest fire.

Natural hazards identified as potentially affecting the site can be screened out on the basis of being

incapable of posing a physical threat or being extremely unlikely with a high degree of confidence.

Care shall be taken not to exclude hazards which in combination with other hazards have the potential

to pose a threat to the facility. The screening process shall be based on conservative assumptions. The

arguments in support of the screening process shall be justified.

The exceedance frequencies of design basis events shall be low enough to ensure a high degree of

protection with respect to natural hazards. A common target value of frequency, not higher than 10-4

per annum, shall be used for each design basis event. Where it is not possible to calculate these

probabilities with an acceptable degree of certainty, an event shall be chosen and justified to reach an

equivalent level of safety. For the specific case of seismic loading, as a minimum, a horizontal peak

ground acceleration value of 0.1g (where ‘g’ is the acceleration due to gravity) shall be applied, even if

its exceedance frequency would be below the common target value.

Events that are more severe than the design basis events shall be identified as part of DEC analysis.

Their selection shall be justified. Further detailed analysis of an event will not be necessary, if it is

shown that its occurrence can be considered with a high degree of confidence to be extremely

unlikely. [11]


IRSN/PSN-RES/SAG/2017-00019 43/142


5.1.3 ORGANISATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT/ NUCLEAR ENERGY AGENCY (OECD/NEA)

OECD/NEA working groups have not developed specific guidance report on screening criteria but they recognize the importance of this topic. For example, during the 2014 workshop on external events [58], it was concluded the following.“Some methods and guides are available for seismic hazard determination, identification of external

hazards, screening of external events for detailed consequence analysis, including several lists of

screening criteria. However, additional development is also needed in area of consensus standards

and guides; for example IAEA continues developing the methodological support for external hazards

analysis.”

“Screening methods play a large role in external events PSA. Systematic approaches that search

for and then screen, as appropriate, potentially important combinations of external hazards are

needed.”

5.1.4 ASME/ANS

The standard ASME/ANS RA-S [54], [56] has two screening criteria: one for the internal initiating events at power and one for external events at power. The standard includes the following screening criteria for initiating events and groups to eliminate internal initiating events at power or groups from further evaluation [54]:(a) the frequency of the event is less than 1E-7/a, and the event does not involve either an ISLOCA,

containment bypass, or reactor pressure vessel rupture;(b) the frequency of the event is less than 1E-6/a, and core damage could not occur unless at least two

trains of mitigating systems are failed independent of the initiator, or(c) the resulting reactor shutdown is not an immediate occurrence. That is, the event does not require

the plant to go to shutdown conditions until sufficient time has expired during which the initiating event conditions, with a high degree of certainty (based on supporting calculations), are detected and corrected before normal plant operation is curtailed (either administratively or automatically).

In case of the application of the criterion (a) or (b) the confirmation of the adequacy of the used value is necessary.The scope of external events covered by the standard includes both natural external events (e.g., earthquakes high winds, and external flooding) and human-made external events (e.g., airplane crashes, explosions at nearby industrial facilities, and impacts from nearby transportation activities).The ASME/ANS RA-S standard [54], [56] requires that all potential external events (both natural hazards and man-made events) that may affect the site shall be considered and shall be subjected to either screening, bounding (demonstrably conservative) analysis, or detailed analysis. The list of


IRSN/PSN-RES/SAG/2017-00019 44/142


external events that should be included as a minimum is provided in the standard. Requirement for supplementing of the list with the site-specific and plant-unique external events is given.The preliminary screening is qualitative and is performed using a set of screening criteria [54]:Criterion 1: The event is of equal or lesser damage potential than the events for which the plant has

been designed.Criterion 2: The event has a significantly lower mean frequency of occurrence than another event and

the event could not result in worse consequences than the consequences from the other event.

Criterion 3: The event cannot occur close enough to the plant to affect it.Criterion 4: The event is included in the definition of another event.Criterion 5: The event is slow in developing allowing sufficient time for adequate response.

A bounding (demonstrably conservative) analysis can be used for screening of events using three quantitative screening criteria. The conservatism of the analysis is demonstrated by accounting for all uncertainties, approximations, or simplifications that might invalidate the demonstration if not accounted for appropriately [54].Criterion A: The current design-basis hazard event cannot cause a core damage accident.Criterion B: The current design-basis hazard event has a mean frequency <10-5/a, and the mean value

of the conditional core damage probability (CCDP) is assessed to be <10-1.Criterion C: The core damage frequency, calculated using a bounding (demonstrably conservative)

analysis, has a mean frequency <10-6/a.The Criterion C is based on the criteria for assessment of the design basis hazards given in the Standard Review Plan (SRP) of the US NRC [55].

The standard [54], [56] requires performing a walkdown of the plant and its surroundings as a basis for the screening out of an external event. The standard also requires for documenting the screening out of an external event in a manner that facilitates applying the PSA and updating it and that enables peer review. If an external event cannot be screened out using either the qualitative criteria or the quantitative criteria then it shall be subjected to detailed analysis.

Considering the questions raised in Section 2 the following can be concluded:a) How to identify and quantify dependencies and correlations between different hazard or event

scenarios. The AMSE/ANS RA-S standard is structured so that requirements for the analysis of the PSA results, including identification of significant contributors, identification and characterization of sources of uncertainty, and identification of assumptions are done on a hazard group basis. Each hazard group is treated separately. All significant dependencies and correlations that affect the results should be considered in the model in the integration-quantification of risk measures.


IRSN/PSN-RES/SAG/2017-00019 45/142


b) Which (quantitative) screening criteria should be applied, which risk metrics would be suitable.Described in details above.

c) What constitutes and how to identify a high impact/low probability event.Standard is based on assessment of the consequences of the event, including low probability/high consequence event. Standard recognizes that conservative estimate of a mean value is not a point estimate. When uncertainties are large, as it is normally case for such events, the mean frequency can fall above the 95th percentile of the distribution. Therefore, it is incumbent on the analyst to document the evidence that justifies estimates of uncertainties, approximations, or simplifications leading to the estimate of the mean event frequency or CDF.

d) What constitutes a maximum impact?The postulated failure of the systems, structures and components is based on the evaluation of the plant specific fragility or vulnerability information of the analysed element.

e) Need to utilize the levels of Defence in Depth (AOO, DBA, and DEC)?There is no explicit requirement in the standard about utilization of the defence-in-depth philosophy in the development of the PSA model.

f) Which approaches to bounding analysis are suitable for an extended PSA and upon which criteria a detailed probabilistic investigation and modelling can be omitted?Described in details above.

5.2 COUNTRIES

5.2.1 BELGIUM

Screening criteria for internal and / or external hazards (for consideration in PSAs) have not been developed or used up to now. Internal hazards PSA are being developed for internal fire and internal flooding, following WENRA Reference Level O1.1 (and its transposition into art. 29.1 (objective and scope of PSA) of the Royal Decree of 30.11.2011 concerning safety regulations for nuclear installations). External hazards PSAs are currently not yet envisaged for Belgian NPPs.

5.2.2 BULGARIA

In Bulgaria, the main regulatory requirements related to the identification of initiating events and hazards, as well as directions to the PSA development are specified by the “Regulation on Ensuring the Safety of Nuclear Power Plants”, Published SG, No.66 of 30 July 2004, amended SG No. 46 of 12 June 2007, amended SG No. 53 of 10 June 2008, and amended SG No. 5 of 19 January 2010 [69]. The regulation was developed on the basis of IAEA Safety Standards and the WENRA reference levels for operating NPPs. The regulation contains detailed instruction related to the determination of the design basis and safety evaluation, the characteristics of the site and the safety requirements for the nuclear power plant and its systems.


IRSN/PSN-RES/SAG/2017-00019 46/142


The regulation requires that postulated internal initiating events shall be grouped into different categories depending on their frequency of occurrence per calendar year. “Grouping shall be based on the following four categories of plant states:

1. category 1 – steady and transient states during normal operation;2. category 2 – anticipated operational occurrences, with frequency above 10-2 events per year;3. category 3 – accidents of low frequency of occurrence, in the range between 10-2 and 10-4 events per year;4. category 4 – design basis accident of very low frequency of occurrence, in the range between 10-4 and 10-6 events per year.” [69], Art.12, paragraph 1, p. 3.

In addition, the regulation contains a typical list of postulated initiating events and the categories of plant states that shall be considered in the Safety Analysis. [69], Annex to Art.12, paragraph 12, p.36.Also, NPP design shall analyse, as initiating events, possible human errors and possible combinations of internal and external events based on realistic assumptions, Art.12, paragraph 3, from Regulation [69], p. 3. It is required that NPP design shall take account of specific environmental conditions and loads to safety important SSC, resulting from internal events and site specific external events and hazards.In accordance with Art. 21, paragraph 1 from the regulation [69], the PSA shall be carried out with the objective to: demonstrate a balanced design where each postulated initiating event has a proportional impact upon the overall plant risk and the safety is ensured mainly by the first two levels of defence in depth, and evaluate the frequencies and the consequences of the external events specific to the site.Furthermore, the regulation requires that the PSA shall be included [69], Art.21, paragraph 2, p.6:

1. all modes of operation, all postulated initiating events, including internal fire and flooding, severe weather conditions and seismic events;2. all possible important dependencies (functional dependencies, area dependencies and other interactions and impacts, leading to common cause failures);3. uncertainty analysis or sensitivity analysis of the results;4. realistic modelling of plant response, taking into account operator actions in accordance with operational and accident instructions;5. human error analyses, taking into account the factors which can influence the performance of operating personnel in all operational states and accident conditions.

Also, the safety guide “Probabilistic Safety Analysis of Nuclear Power Plants” [70] contains additional guidelines for enforcement of the regulation and interpretation the requirements established by the regulation. This guide has a recommendatory nature. In respect to the identification of initiating events, the guide defines in the section 2.53, p.13 that the exhaustive list of potential internal events is defined by the active participation of the staff of the plant. In order to ensure (as much as possible) greater completeness of the list of potential initiating events, the following methods are used: system analysis; use of analytical methods – “Master Logic Diagram”, Failure Modes and Effects Analysis


IRSN/PSN-RES/SAG/2017-00019 47/142


(FMEA), or other relevant analytical methods; evaluation of the operational experience; evaluation of internationally recognized and available lists of initiating events for similar types of plant.Furthermore, the guide gives additional guidelines for grouping and screening of Initiating events [70]. During the grouping, the developer shall ensure that [section 2.59, p. 14]: all initiating events belonging to the same group have similar direct consequences and mitigation requirements in terms of plant response and success criteria for prevention of core or fuel damage; those initiating events that have the potential for a large radionuclide release (e.g., steam generator tube rupture, catastrophic rupture of the reactor pressure vessel and etc.) shall be modelled independently in separate groups; the mitigation requirements for each individual event in the group are less restrictive than the requirements defined for the group.Regarding to the screening of internal hazards, the guide states that, the events (such as internal explosions; release of toxic gas and other events presented in the section 2.95, p. 18 from the guide) do not need to be included in the PSA model, when one of the following conditions is met [70]: shall be demonstrated with qualitative arguments that the hazard has a negligible contribution to the CDF/FDF

(for example, if the impact on the plant does not lead to a demand of safety systems or the effects are already covered by events that have a significantly higher frequency of occurrence); a quantitative evaluation demonstrates that the contribution to the CDF/FDF is less than 10-9 per year.

5.2.3 CANADA

CNSC Regulatory Standard Probabilistic Safety Assessment (PSA) for Nuclear Power Plants [44] requires consideration of all internal and external hazards in the PSA. The set of events to be considered in safety analysis is identified using a systematic process and by taking into account [44]:

o reviews of the plant design using methods as Hazard and Operability Analysis, Failure Mode and Effects Analysis, and Master Logic Diagrams,

o lists of events developed for safety analysis of other NPPs, as applicable,o analysis of operating experience data for similar plants,o any events prescribed for inclusion in safety analysis by regulatory requirements,o equipment failures, human errors and common-cause events identified iteratively with

PSA.All permissible plant operating modes should be analysed. Modes that occur transiently can be addressed without a specific analysis, as long as it can be shown that the existing safety analyses bound the behaviour and consequences of those states.

Postulated initiating events include credible failures or malfunctions of SSCs, as well as operator errors, common-cause internal hazards, and external hazards.The set of external PIEs to be considered should include, where appropriate [50]:

fires, floods, earthquakes, volcanism, extreme winds and other extreme weather conditions,


IRSN/PSN-RES/SAG/2017-00019 48/142


biological phenomena, human-induced events, toxic and asphyxiant gases and corrosive gases and liquids, electromagnetic interference, damage to water intakes, explosions at nearby industrial plants and parts of transport networks.

Human-induced external events, that are considered, include [51]:o aircraft or missile impacts,o explosions (deflagrations and detonations) at nearby industrial facilities or transportation

systems,o release of toxic or corrosive chemicals (gases and liquids) from nearby industrial facilities or

transportation systems,o electromagnetic interference,o fire generated from offsite sources (mainly for its potential for generating smoke and toxic

gases),o collision of ships or floating debris with accessible safety-related structures, such as water

intakes and UHS components collision of vehicles at the site with SSCs,o any combination of the above, as a result of a common initiating event (such as an explosion

with fire and release of hazardous gases and smoke).Malevolent acts including aircraft crashes are considered separately. Human induced hazards which are classified as DBA are taken into account as loads in the abnormal/extreme environmental load category. Less frequent human induced hazards are considered part of DEC.

SelectionEach external natural and human-induced event is identified and assessed with the following considerations [53]:

The potential direct and indirect effects of the event on the structures, systems and components (SSC), including those that could affect the safe operation of the NPP in both normal and abnormal operating states.

The potential combined effects of external and human-induced events with normal and accidental releases that would exceed environmental limits or cause a significant adverse effect to occur; and

Effects that would influence the ability to successfully implement emergency plans.

Natural external hazards are evaluated and screened out based on the following criteria [51]: a phenomenon which occurs slowly or with adequate warning with respect to the time required

to take appropriate protective action,


IRSN/PSN-RES/SAG/2017-00019 49/142


a phenomenon which in itself has no significant impact on the operation of a NPP and its design basis,

an individual phenomenon which has an extremely low probability of occurrence, the NPP is located at a sufficient distance from or above the postulated phenomenon, a phenomenon that is already included or enveloped by design in another phenomenon (for

example, storm-surge and seiche can be included in flooding).In defining the scope of events to be analysed, the deterministic safety analysis should select the same cut-off frequency as that used in the probabilistic analysis for the same facility.

Classification of events The identified events could be grouped into categories based on similarity of the initiating failures, key phenomena, or system and operator responses. Examples of event categories include decrease of the reactor coolant inventory, reactivity and power anomalies, and increase/decrease of heat removal.The purpose of event classification is to [50]:

justify the basis for the range of events under consideration, reduce the number of initiating events requiring detailed analysis to a set that includes the

most bounding cases in each of the various event groups credited in the safety analyses, but that excludes events with identical system performance (relating, for example, to their timing, the plant systems response, or radiological release fractions),

allow the application of different acceptance criteria to differing event classes, with a justification of the basis for each of the event classifications included in the description provided in this section.

Events are classified because each plant state has different safety analysis requirements and acceptance criteria, requirements that reflect the level of protection in accordance with the principle of defence in depth, as follows [49]:

• anticipated operational occurrences (AOO) – frequencies of occurrence equal to or greater than 10-2 per reactor year - events reasonably expected to occur during the lifetime of a plant, and having the potential to challenge the safety;

• design basis accidents (DBA) – frequencies of occurrence equal to or greater than 10-5

per reactor year, but less than 10-2 per reactor year - events considered in the design of the nuclear power plant and not expected to occur during the lifetime of a plant; however, certain groups of events with lower frequency may also be included in the plant design basis;

• beyond design basis accidents (BDBA) – frequencies of occurrence less than 10 -5 per reactor year - events with low probabilities of expected occurrence, which may be more severe than DBA (involve multiple failures and/or operator errors).

An event with a predicted frequency that is on the threshold between two classes of events, or which has a substantial uncertainty in the predicted event frequency, is classified into the higher frequency class.


IRSN/PSN-RES/SAG/2017-00019 50/142


In order to establish an understanding of margins of safety or of the robustness of the design, the regulatory authority may request that certain events be analysed as design basis accidents or as representative severe accidents. Past practices and experience may indicate that certain scenarios are more critical and should be analysed as DBA.

Event combinationsWhere the results of engineering judgment, deterministic and probabilistic safety assessments indicate that a combinations of events (which may occur either simultaneously or sequentially) could lead to AOO or to accident conditions, such combinations of events should be considered to be DBA or should be included as part of DEC, depending on their likelihood of occurrence.

Licensees must consider combinations of events, including consequential and correlated events. Examples of consequential events include external events (such as a cooling water intake blockage caused by severe weather) and internal events (such as a fire caused by an earthquake); examples of correlated events include heavy rainfall concurrent with a storm surge or high winds caused by a hurricane.

For a site with multiple units, the potential for specific hazards simultaneously impacting several units on the site should be considered [51].In response to the Fukushima Dai-ichi accident, the CNSC directed Canadian NPP licensees to review the lessons learned and to re-examine the safety cases of NPPs for ensuring that sufficient defence-in-depth margins are available, with a focus also on external hazards such as seismic, flooding, fire and extreme weather events.

5.2.4 CZECH REPUBLIC

In 2008, performance of new comprehensive external risk analyses for Czech NPP Dukovany was initiated at UJV Rez. Some of the analyses are still on-going. Guidelines, methodologies and other publications released by IAEA, NRC, WENRA and EPRI have been used as the main sources of information, see ref. [2], [26], [27], [58] - [65] . National requirements related to external events risk assessment (incl. combinations of external events) arise from the safety instruction BN-JB-1.7 (Application of PSA methodology in the regulatory process) [66].

A. For selection and risk evaluation of external events the following principles have been applied:

1. Principle of external events categorization


IRSN/PSN-RES/SAG/2017-00019 51/142


The principle requires splitting the plant states into two categories: 1) DBA (Design Basis Accidents) external events and 2) DEC (Design Extension Conditions) external events, as shown in the picture below.

For purposes of the safety reports, it is necessary to evaluate the resistance of a NPP against the consequences of every single external event in the DBA (Design Basis Accidents) category with annual frequency of occurrence equal to or higher than 1 x 10 -4 event per year.

Estimation of overall risk resulting from external events requires also to take into account response of the NPP corresponding to DEC category (RISK = Risk DBA + Risk DEC). The annual frequency of onset of external events for DEC (Design Extension Conditions) category should lie between 1 x 10 -4 - 1 x 10 -7

event per year (if unit response fails) or 1 x 10 -4 - 1 x 10 -6 event per year (if unit response is limited) . Control risk indicators - CDF, LERF and “Cliff Edge Effects“ (CCDP) – have been used for selection of external events in PSA model.

The principle of categorization also includes preparation of a structured list of external events containing the following parameters: 1. Areas of event occurrence, 2. Category of event and 3. Type of event. For example, external events belonging to the same Category of event can be used for estimation of the annual frequency of occurrence and to determine the resistance of structures and systems against the effects of external events.

2. Principle of practical elimination Principle of practical elimination allows excluding the external events with negligible contribution to the risk of the NPP.The contribution rate depends on the age of technology and the basic level of unit risk (CDF). At UJV Rez, the negligible contribution to unit risk was defined as proportion - 1% of the total annual unit risk (CDF, LERF).

External events with not well-defined scope or parameters were also discarded. Typical examples of discarded external events are events in the research stage, events with large uncertainties in frequency of occurrence or with uncertainty in intensity of the hazard (e.g. sun storm).


IRSN/PSN-RES/SAG/2017-00019 52/142


B. External events identification and screeningThe main steps of identification and screening external events are:

a) Full list of all external events (used sources: EPRI, WENRA, IAEA)b) Qualitative screening (questions of applicability, possibility, speed)c) Quantitative screening (1. frequency of external event, 2. hazard parameters, 3. risk measures)

Acc. a) The full list of all external events was compiled as a sum of all external events specified in the following documents:

1) EPRI 1022997

Identification of External Hazards for Analysis in Probabilistic Risk Assessment.

2) WENRA Guidance Document Issue T: Natural Hazards Head Document, Guideline for the WENRA-RHWG Safety Reference Levels for Natural hazards introduced as lesson learned from TEPCO Fukushima Daiichi accident.

3) IAEA NS-G-3.3

Evaluation of Seismic Hazards for Nuclear Power Plants.

4) IAEA NS-R-3 Site Evaluation for Nuclear Installations.

5) IAEA DS433 Safety Aspects in Siting for Nuclear Installations

6) IAEA SSG-25 Periodic Safety Review for Nuclear Power Plants

Note: The full list includes 70 external events (Dukovany NPP).

Acc. b) The following information and criteria were used for qualitative screening (questions of applicability, possibility, speed):

Data Area of interest / desired data Area of interest (criterion)

a) Geographical data Site vicinity (0 -5 km), Near region (5 – 25 km) /Geographical location of the unit, a unit altitude, position of rivers, position of industrial operations, position of military operations, position of airports, position of transport routes etc.

0 - 25 km

b) Geological data Site vicinity (0 -5 km), Region (25 – 300 km) /Position of local geological faults, geological data from the area of NPP, geological data from the region of NPP etc.

0 - 300 km

c) Meteorological data Site vicinity (0 -5 km), Near region (5 – 25 km) / Statistics data related to rainfall, temperature, wind speed etc.

0 - 25 km

d) Biological data Site vicinity (0 -5 km) /Occurrence of fauna and flora, with possible impact on the NPP.

0 - 5 km

d) Transport data Site area (location of unit), Site vicinity (0 – 5 0 - 10 km (6 mil)


IRSN/PSN-RES/SAG/2017-00019 53/142


Data Area of interest / desired data Area of interest (criterion)

km), Near region (5 – 25 km) /Frequency and location of air corridors, the frequency and size of transports inside and outside site area etc.

e) Data from balance and logistical analyses

Site vicinity (0 -5 km) /Balance of water inventories, possibility for external power sources restoration etc.

0 – 5 km

Note: Based on the qualitative screening, 33 external events were excluded from the full list of 70 external events for Dukovany NPP.

Acc. c1) Frequency of occurrence of external events at the NPP area was assessed by considering the following information:

Data Required data Area of interest (criterion)

Meteorological events

a) Meteorological data Knowledge of meteorological data for at least 50 years (data related to the analysed hazard). 0 - 25 km

b) DB parameters Project values resistance of structures, systems and components (design basis parameter). 0 – 5 km

Seismic events

a) Seismic hazard analysis

Seismic hazard curves for Site vicinity (0 -5 km) NPP.

300 km (geological data from the region)

b) Maximum seismic event

The maximum possible intensity of seismic events (g or m/s2) in the area and site vicinity of unit.

-

c) The values of design seismic event

Values SL1 (g or m/s2 for F = 10-2 events per year) and SL2 (g or m/s2 for F = 10-4 events per year).

-

d)

DEC (Design Extension Conditions) for seismic event.

Value of SSE (Safe Shutdown Earthquake) for unit as results of resistance of unit. -

e) Spectral analysis data Data on acceleration hazard curves -

Dangerous transports

a) Data on transportsType of transported hazardous substances.Length of transport with a range of possible leakage into the area of unit.

10 km

b) Aerial transportation

Number of airports around the NPP and position/orientation of the runways.Number of aircraft categories.Number of flights in each category.Air corridors in the vicinity of the NPP.Size of the effective area in relation to the NPP.

35 km (DOE)10 km + SDV (IAEA)SDV - Screening distance value

Accident of industrial


IRSN/PSN-RES/SAG/2017-00019 54/142


Data Required data Area of interest (criterion)

plants

a) Data on industrial plants

The type and quantity of stored hazardous substances. The accident scenarios. 10 km

The Gumbel distribution (50-SG-S11A [61]) has been used for statistical evaluation of frequency of occurrence of high impact / low probability events. Only 3 external events were excluded by frequency from the original list of 70 external events during the quantitative screening phase.The overall screening process resulted in a final list of 19 external events determined for further detailed analysis as a part of PSA for Dukovany NPP.

Acc. c2) Assessment of the hazard parameters of the external events was based on the following criteria:

1. Any hazard is a feature of process or phenomenon, as a result of formation of an external event.

2. Any external event may be associated with multiple hazards. For example, a flood wave (external event) may be associated with the following hazards: a) kinetic energy of wave, b) corrosive environments, c) electrically conductive environment.

3. Maximum value of a hazard parameter is defined as a resistance value for a component defined by design (DB parameters).

4. Influence of external event on the risk of the unit can be ignored if value of hazard parameter < value of DB parameter for each safety relevant component.

Note : 15 external events were excluded on the basis of “hazard parameters” criteria from the original list of 70 external events during the quantitative screening phase.

Acc. c3) Evaluation of risk measures of the unit was based on the following activities

Area of activity Activity

a) PSA model Analysis of initiating events caused by a particular hazard was performed. PSA model allows calculating the total risk of a nuclear unit from all considered emergency scenarios.

b) FIE of external events Frequency of initiating event was estimated.

c) Fragility curves Development of Fragility Curves is necessary for calculating the probability of failure of structures, systems and components depending on the parameter value of hazard.

The risk from external events is insignificant, if all three of the following conditions apply:1. CDF (from external event) < 1% CDF (Total CDF for unit)2. LERF (from external event) < 1% LERF (Total LERF for unit)3. Accident scenarios from external events are not the type of “Cliff edge effect” (CCDP)


IRSN/PSN-RES/SAG/2017-00019 55/142


One of the most important parts of external event analysis has been evaluation of SSC (Structures, Systems, and Components) fragility in consequence of external events. The Evaluation of SSC fragility has been carried out in a deterministic way, i.e. only two possibilities of external event impacts has been taken into account - 1) SSC undamaged (0) or 2) SSC damaged (1). The reason for adopting such approach may be lack of information related to the impact of external events on SSC and/or insufficient methodological support.The approach described above was taken for analysis of all external events except seismic analysis. The seismic analysis has been carried out according to PSA methodology using a probabilistic approach, i.e. fragility curves have been used for the evaluation of SSC fragility.

C. Combination of external eventsThe main steps of combination of external events are as follows:

a) Formation of a matrix for all combinations of external events,b) Analysis of combination type for each combination of external events,c) Analysis of the dominant hazard for each combination of external events,d) Risk calculation,e) Selection of dominant combinations of external events.

A matrix created for Dukovany NPP contains 70 x 70 external events. Each combination of external events can be associated with one of the following types:

1. Coincidental Hazards Hazards occurred simultaneously without a common mechanism. For example, an earthquake shortly after an aircraft crash or vice versa. Mathematically, these events are taken as independent events.

2. Consequential Hazards

Hazards with a causal relationship. These combinations are possible only if the first condition has been fulfilled – therefore, the order of hazard is important.

3. Correlated Hazards Hazards originated from the same parent event. For example, rail accident BLEVE and rail accident cold toxic gases occurred as a result of the same parent event – rail derailment. In general, one event is not causally related to any other.

4 Not Applicable Hazards

These are absurd or illogical combinations. For example, the simultaneous occurrence of the event type "high temperature" x "low temperature"

Effect of all hazards caused by external events combination on the unit has been considered. Dominant or faster hazard defines the type of IE. Correlation between currently operating hazards (lack of methodologies and information) has not been considered.

In total, 12 dominant combinations of external events with high risk potential have been selected for further analysis. Risk assessment of these combinations has not been performed yet.


IRSN/PSN-RES/SAG/2017-00019 56/142


5.2.5 FRANCE

5.2.5.1 Context

In general, in France, for operating reactors and new reactors, Level 1 and 2 PSA including all pertinent internal events, internal and external hazards should now be available for each NPP, taking into account the state-of-the art and the availability of data. If for some hazards, the state-of-the-art or the data are not available, other methods should be employed in order to assess their contribution to the installation risk.

These PSAs should cover: All the plant operational states (full power, shutdown…), The events affecting simultaneously the reactor and the spent fuel pool, The events affecting more than one site installation (or the whole site), including the long

lasting events.

Internal and external hazards PSAs are currently being developed by EDF to support the coming periodic safety review. To help in reviewing tasks, IRSN develops also some studies in parallel with a more limited scope. The quality of these hazards PSAs shall progress during the coming years.

The procedure of selection of initiating events for PSA follows specific approaches for: Internal events, Internal hazards, External hazards.

Internal eventsThe section of internal events to be considered in PSA is performed following the French Basic PSA Safety Rule (Safety Rule 2002-01, 26 December 2002) which indicates [39]:The list of initiating events studied is as complete as possible. The best approach, in order to tend towards completeness, is to use all the available information sources:

the safety analysis report, on the basis of the operating conditions, French and foreign reactor operating experience, international practices, improved knowledge and special studies, previous PSAs.

To make the list as complete as possible, the use of deductive methods is recommended in order to determine the elementary failures or combinations of elementary failures which would contribute to the loss of each safety function concerned.Initiating events are identified for all the reactor states to be examined in the PSA.The Safety Rule is applicable only for the reactor. However, by extension, similar initiating events selection procedure is applied also for the spent fuel pool.

Internal hazards


IRSN/PSN-RES/SAG/2017-00019 57/142


No specific procedure is in place for the screening-out of internal hazards to be considered in PSA. Beginning with the third period safety review of 1300 MWe plants, the list of internal hazards which are considered as causes of initiating events was progressively enlarged for all French NPP types and today include a large spectrum of internal hazards:

Internal fire, Internal flooding, Internal explosion, Heavy load drop.

These internal hazards are studied for the reactor and for the spent fuel pool.

External hazardsRegarding the external hazards, a systematic procedure for the identification of the hazards which may affect the site should be applied, and PSA should be developed if relevant. The combinations of hazards (internal or external) as well as the induced internal hazards should also be considered. Some man-made external hazards (accidental aircraft crash, industrial and transportation accidents) were already studied by EDF with probabilistic methods. Several seismic PSA were developed or are under development by EDF. The loss of heat sink and of external grid, induced by external hazard, are also treated, in a limited manner, in the internal events PSA developed by EDF for all NPP types.

EDF has recently proposed a systematic procedure, to be applied to all the French NPP sites, for the selection of the external (natural and made-made) hazards to be considered in the PSAs. This approach has been reviewed in 2015 by IRSN which highlighted the importance of correlated hazards and low frequency situations but major consequences.The principles of the approach are accepted by the Safety Authority with reserves which have been taken into account by EDF.

The industrial application of the method to all French sites is now ongoing.

5.2.5.2 French methodology for the selection of the external (natural and made-made) hazards to be considered in the PSAs

The methodology which is applied by EDF for the French NPPs includes three steps which are described hereafter (IRSN applied for the review of EDF results a similar method which is not presented in the report).

Step 1 – Elaboration of a list of potential external hazards

The external hazards to be considered are the natural and man-made events whose origin is located outside the site and that can potentially have a negative impact on the safety of the unit and lead to radiological consequences.


IRSN/PSN-RES/SAG/2017-00019 58/142


This list used by EDF was created after analysis of international practices. It is similar to the list proposed by EPRI and discussed in the frame of ASAMPSA_E; there is few differences justified by adaptations to the natural environment of the French plants and the regulatory context in France.Climatic change does not represent a hazard and has not been included in the list of potential hazards per se. But this phenomenon should be taken into account when analysing the minima and maxima of the intensity of some hazards, during the screening and quantification phases.

Step 2 - Exclusion criteria

The list of criteria for screening out the hazards considered individually and for the relevant combinations, is given in the following table:

Table 5-2 Exclusion criteria

Criterion DescriptionC1:Applicability

The hazard cannot occur on the site or sufficiently close to have an impact.

C2:Inclusion

The hazard is included in the definition of other hazards analysed for the site.

C3:Severity

The hazard can only generate potential damage lower than or equal to that caused by similar event(s) for which the plant was sized (designed and/or checked).

C4:Initiating event

The hazard doesn’t generate any PSA initiating event.orThe hazard can only generate initiating event(s) already modelled in the L1 internal events PSA model. It is necessary to either verify that the model takes account of the hazard or demonstrate that hazard’s frequency is residual in comparison with the frequency of the generated internal events.

C5:Kinetics

The hazard has sufficiently slow kinetics to demonstrate that there is sufficient time to either eliminate the effects or to implement a suitable response.

C6:Frequency

The hazard has a frequency of occurrence lower than an indicative target in order of a few 10-7per reactor year.

C7:Contribution

The risk contribution of the hazard is lower than indicative targets of a few 10 -7 per reactor year for fuel meltdown, or of a few 10-8 per reactor year for large releases.

In addition, in case of application of criteria C6 or C7, EDF will check that there is no cliff-edge effect on large releases.In so far, as evaluating the relevance of a hazard with respect to its frequency of occurrence and evaluating the relevance of a hazard with respect to its contribution to risk do not require the same level of analysis, these two aspects are clearly separated to:

Eliminate hazards on a residual frequency criterion, Eliminate hazards on their very low contribution to the risk of fuel meltdown or large releases

depending on the impact of the hazard.

If at least one of the criteria C1 to C7 is verified, the hazard can be excluded.There is no mandatory order for the analysis of Ci.


IRSN/PSN-RES/SAG/2017-00019 59/142


Step 3 - Implementation of the methodology A - Analysis of hazards considered individually

The analysis is performed for a given site and for each of the hazards in the list of potential hazards. The objective is to verify whether at least one of the criteria C1 to C7 applies and thus justify excluding the hazard from the list of candidate hazards for the preparation of a more advanced probabilistic risk assessment. There is no mandatory order for the analysis of Ci.

In support of the general approach for the analysis of every hazard of potential external hazards, the following prototype form (EDF practice) can be filled:

Description of the phenomenon

Potential impacts on the installation

Structure

s

Ventilation

s

Cooling Electrical sources Instrumentation

and control /

automation

Other

Generic Experience Feedback data relating to the phenomenonSite-specific Experience Feedback data relating to the phenomenonDefinition of the hazardDispositions for protection of the facility with respect to the hazardAnalysisConclusion

C1:

Applicability

C2:

Inclusion

C3:

Severity

C4:

Initiating

event

C5:

Kinetics

C6:

Frequency

C7:

Contributio

n

References

Figure 5-1 EDF Analysis sheet for a single hazard

The main objectives are: 1. Identification of potential impacts on the installation; six families of impacts are:

• Impacts on structures,• Impacts on HVAC which are support systems,• Impacts on cooling (via ultimate heat sink),


IRSN/PSN-RES/SAG/2017-00019 60/142


• Impacts on power sources,• Impact on I&C,• Others;

2. Identification of dispositions for protection of the facility against the considered hazard;3. Margins evaluation (compared with the requirements of the design);4. Analysis of margins adequacy;5. Filling out the various sections of this sheet allows to review the selection criteria while

documenting the analysis. If at least one criterion Ci is verified, the hazard can be excluded from the list of candidate hazards for the preparation of a more advanced probabilistic risk assessment. And, in the frame of screening method application, the analysis can be limited to this criterion.

B- Analysis of combined hazards

The analysis of combinations is important for safety reasons. For example, a site may be designed for just a river flood or just a lapping but the combination of the two might result in flooding. EDF also seek to study combinations leading to a loss of cooling water or external electrical supplies. To avoid making the combinations complex, EDF initially consider representative combinations of two hazards. Eventually, EDF can look at potential combinations of three hazards or more by combining the combinations chosen with the single hazards chosen at the end of the preceding selection phase. Their analysis can then only consist of occurrence frequency and/or risk contribution analysis.

The analysis of combinations of two threats is then performed in two steps:1 - The identification of combinations of two hazards to be analysed;2 – The application of the selection criteria.

Identification of combinations of two hazards to be analysed

The idea here is to create a grid of possible combinations.To facilitate creating this grid and the analysis of the combinations, a table is created in advance. It describes, per individual hazard, the key elements to be used for this analysis:

Seasonality (for possible elimination before creating the combination grid), Impacts (for choice of the combination elimination criteria to be used), Elimination criteria for the individual hazard (for choice of combination elimination criteria to

be used).

EDF then makes up the grid so as to not have to handle combinations that cannot occur. To this end: EDF use the list of individual hazards from which it has removed the hazards eliminated for the

site by individual selection criteria C1 and C2. Thus, the selection criteria for hazard combinations C1 and C2 are implicitly applied while preparing the combination grid,

EDF then eliminates the combinations that are mutually impossible taking into account:o their nature (for example: extreme cold and extreme heat),


IRSN/PSN-RES/SAG/2017-00019 61/142


o the associated environmental conditions (for example: extreme cold and accumulating snow),

o and their seasonality (for example: lightning mainly occurs in the spring and extreme cold in the winter).

EDF can, under certain conditions, also eliminate combinations involving an individual hazard withdrawn by criterion C6 “Frequency”. Actually, if this hazard has a frequency less that a given threshold, the combination will also have a frequency less than the same threshold. EDF must however ensure that a combination involving this hazard with a lower intensity - and therefore a higher frequency - cannot lead to a dangerous situation. Each combination thus identified will then be analysed by application of criteria C3 to C7.

Application of criteria

The application of selection criteria is practically the same as for individual hazards. However, two special features should be noted. The first concerns study of the severity of the combination. EDF wish to differentiate between combinations of hazards having, individually, the same type of impact on the installation and combinations of hazards that do not individually affect the same systems or parts of the installation. The “Severity” criterion for hazards that individually have the same impact is therefore applied as follows:

1. The combination can only generate potential damage less than or equal to that caused by one or more similar events for which the plant was designed or checked.

2. The combination of the effects of these hazards is not greater than the most severe effect of the hazards that it consists of.

The second special feature concerns the evaluation of the frequency of the combination of hazards. This evaluation must take into account any possible dependence that may exist between the two phenomena.

Conclusions on the methodology

The methodology presented above is intended to allow screening of individual hazards and combinations of hazards to identify those which are candidates for a more advanced probabilistic risk assessment. It helps to focus on most risk significant hazards. In the perspective of optimised resources allocation for safety studies, the far less risk significant hazards are excluded from more advanced probabilistic risk assessment. The two strong points of the methodology are envisaging the consequences of hazards for hazards above the values for which the installation is protected against and processing combinations of hazards in an exhaustive manner.


IRSN/PSN-RES/SAG/2017-00019 62/142


5.2.5.3 Perspectives

The results of the application of this methodology will be reviewed and discussed during the next PSRs. The appropriateness of the methodology will be examined also. First results have already been sent by EDF to the Safety Authority for the 900 MWe PWRs series.

5.2.6 GERMANY

The German practice on initiating event selection is governed by the following regulatory guides and recommendations.

1) Safety requirements for nuclear power plants, promulgated 2012 [76] 2) Interpretations to the safety requirements for nuclear power plants, promulgated 2012 [77] 3) Probabilistic Safety Analysis Guide, promulgated 2005 [78].4) PSA Methods supplemental to the PSA guide, promulgated 2005 [79]

Additional information is provided in a draft supplemental [80] to the previous PSA methods publications.Regarding the identification of (potential) initiating events for safety demonstrations (mainly deterministic demonstrations), the following high-level requirements apply:

- Anticipated operational occurrences (on DiD Level 2) are events, which are to be expected during the lifetime of the plant,

- An enveloping spectrum of design basis events (on DiD Level 3) is determined, which are not expected during the lifetime of the plant, but are to be assumed.

- Hazard events shall consider the most onerous effects for each hazard, and a potential long duration of natural hazard events. Additionally, the combinations of hazards with other hazards or internal events shall be considered, if combined events are correlated or if the severity of the combination and its frequency of occurrence merit a consideration.

- For the planning of severe accident management (on DiD Level 4), events with multiple failure scenarios shall be taken into account. Results from PSA Level 1 and Level 2 regarding likely scenarios shall be considered. Analysed event scenarios should include transients, LOCAs in the containment, interfacing LOCAs, and hazard impact events.

- A comprehensive and enveloping spectrum of PIE specific to the plant shall be determined.The safety requirements provide additional guidance on the scope of events to be considered on DiD Level 2, 3, and 4 in two annexes.In annex 2, the safety requirements provide lists of internal events PIE for PWR and BWR reactor designs by level of DiD. For each PIE, the affected technical safety goals, the applicable operating modes, and additional remarks and boundary conditions are given. The lists are based on a master logic diagram approach in line with SSG-2 [3] and SSG-3 [4], supplemented by operating experience with these reactor types. The lists in annex 2 include PIE specific to the spent fuel pool [76]. Moreover, reference [76] also defines acceptance criteria for the technical safety goals (control of reactivity,


IRSN/PSN-RES/SAG/2017-00019 63/142


cooling of fuel, and confinement of radioactivity) for the DiD levels 2, 3, and 4. For several events, additional requirements and commentary is provided in [77].In addition, further requirements on the scope of hazard impact investigations are provided. First, for all hazard impacts, potential consequential effects related to

- internal flooding,- internal fire and explosion,- increased radiation level,- reactions by chemicals,- malfunctions in the power supply, I&C or process-related components,- pressure increase or changes to pressure differences,- temperature or moisture increase,- missiles or debris impact, including dropping loads,- jet or reaction forces

need to be considered.Regarding internal hazards, the following groups of hazard events have to be investigated:

- internal fire, - internal flooding, - component failures (missiles and debris impact, jet and reaction forces),- breaks in high-energy piping,- dropped loads,- electromagnetic interference,- collision of vehicles with SSC,- internal explosions.

For multi-unit sites, it has to be demonstrated that internal hazard events in one unit do not impact on the safety of an adjacent unit. However, no specific requirements for identifying initiating events (PIE) for these hazard events or for determining their frequency of occurrence are stated.Regarding external hazards, annex 3 of [76] requests a comprehensive and complete identification and evaluation of potential external hazard events. Enveloping events (and event scenarios) shall be defined. For the following groups of hazards, further specifications on investigations and analyses are given.

- Earthquake: The design basis needs to be at least of intensity VI according to EMS/MSK. KTA 2201-1 gives recommendations for determining the design basis earthquake (DBE) using probabilistic seismic hazard analysis. The DBE shall be determined at a frequency of exceedance of 10-5/a, based on seismics hazard curves in the range of 10-2 to 10-6/a.

- External flooding: For external flooding events, simultaneous torrential rain impact to the plant site has to be taken into account. Moreover, the duration of flooding events has to be evaluated. KTA 2207 gives additional recommendations for determining the design basis flood (i.e. water level) using a probabilistic approach. The design basis flood water level at a frequency of exceedance of 10-4/a is extrapolated from the value at 10-2/a.


IRSN/PSN-RES/SAG/2017-00019 64/142


- Extreme meteorological events: The evaluation of the effects of a. high or low temperature of air or of cooling water,b. persistent drought and effects on cooling water supply,c. high winds including tornado,d. high or low humidity,e. snow,f. icing, freezing, etc.,g. torrential rain, hail,h. lightning,i. related effects like salt deposits at oceanic sites, dust and sand, missiles, etc.

is required. However, no specific requirements or recommendations are given on defining design basis events for the respective categories, or on computing frequencies of exceedance. For lightning, KTA 2206 provides further recommendations on the design basis envelope [83].

- Biological infestation and other biological impacts: The design has to consider the following scenarios:

a. Encrustation/blockage by mussels,b. Large quantities of algae, jellyfish or fish,c. Large quantities of foliage, grass or weed as flotsam,d. Large quantities of biological flotsam due to a flooding event,e. Microbiologically induced corrosion.

The safety of the plant shall not be put in peril by biological impact events. There are however no requirements or recommendation on defining design basis events for the respective categories or on computing frequencies of exceedance.

- Airplane crash: A design basis scenario is specified in [76], secondary effects like burning fuel, possibly entering plant buildings, explosion, the impact of combustion residue and smoke gases into ventilation systems, including effects on plant staff, and effects from debris and missiles shall be taken into consideration.

- External explosion: A design basis scenario is referenced in [76]. Effects for consideration include pressure waves, over- and underpressure over time, vibration, thermal impact.

- Hazardous materials: Potential effects of hazardous materials on safety-related functions due to explosion, ignition, asphyxiating impact, congestion, or corrosion have to be analysed, as well as the potential dangers from poisonous, anesthetic, asphyxiant, explosive, or radioactive materials to plant staff. No design basis scenarios are specified.

- Potential loss of cooling water supply due to flotsam, upstream dam failure, ship collision, or ship accidents has to be considered. No design basis scenarios are specified.

- External fire: The effects of smoke gas, aerosols, corrosive and toxic substances need to be considered in addition to the thermal impact. Flammable substances should not be able to enter safety-related buildings. No design basis scenarios are specified.


IRSN/PSN-RES/SAG/2017-00019 65/142


- Electromagnetic interference (other than lightning): Potential impacts external to the plant have to be identified and evaluated. They have to be considered in the design. No design basis scenarios are specified.

Turning to the determination of initiating events and hazard scenarios for PSA, there are a number of further regulatory requirements and recommendations. The PSA guide [77] requests a full scope PSA Level 1, i.e. initiating events and hazards events have to be considered for all operating modes, in principle. The guide specifies lists of internal initiating events for power operation of PWR and BWR, respectively. These lists also contain the internal hazard event groups of internal flooding and internal fire as well as the external hazard event groups of aircraft crash, external explosion, external flooding and earthquake [77]. Notably, hazard events are not specifically required to be analysed at shutdown operating states [77], [78], and German PSA basically follow that implicit restriction of scope. In addition, exemplary scenarios for PWR and BWR reactors at the interface to a PSA Level 2 for internal events at power are given. The initiating event spectra have to be checked for each plant if they are comprehensive and bounding. Initiating event frequencies (as well as hazard scenario frequencies) have to be estimated specific to the plant, combining plant specific operating experience and generic data [84].The PSA methods supplemental [79] provides further recommendations on the identification of initiating events and the screening procedure. First, the methods supplemental points out that a spectrum of initiating events should be determined by using a top-down approach (cf. SSG-2 [3], SSG-3 [4]). For shutdown states, such a procedure is specifically recommended. It should be applied for events affecting the spent fuel pool as well. Especially for low power and shutdown states, operator actions should be investigated whether mistakes and errors could trigger an initiating event. The initiating events have to be assigned to operating states, on which additional recommendations are given the methods supplemental as well [79], [80].Initiating events should be grouped together, if they exhibit the same characteristic in terms of success criteria and event progression. The methods supplemental points out that the needs of PSA Level 2 may necessitate the inclusion of additional events into the events spectrum [79]. The spectrum of initiating event should consider input from other PSAs, operating experience, and from deterministic safety analysis (cf. the lists in [76]).With respect to internal hazards, the methods supplemental gives specific recommendations on internal fire and internal flooding analysis [79]. For the identification of relevant fire compartments it recommends e.g. the method of Berry and for ignition frequency estimation a variant of the Berry method. For internal flooding, scenarios should be determined by first identifying relevant flooding sources (tanks, piping), the potentially released amounts of water, and the potential effects on plant systems (considering spreading). This information should be used to determine enveloping flooding scenarios. The determination of frequencies of leaks and breaks can be done again with the methods described in the PSA data supplemental [84].


IRSN/PSN-RES/SAG/2017-00019 66/142


With respect to external hazards, the methods supplemental [79] and a 2015 update [80] give specific recommendations for aircraft crash, explosion (pressure wave), external flooding, and seism.

- Aircraft crash: For a start, if the plant is designed to the standard given in the Safety Requirements, no probabilistic analysis is necessary. Otherwise, the methods supplemental provides [79] a method for computing aircraft crash frequency of occurrence for civil and military air traffic, and defines five classes of air craft for consideration and three categories of plant buildings, which should be evaluated for potential hazard scenarios.

- Explosion: The supplemental specifies a method for deriving the respective hazard frequency of occurrence for different impacts types (detonating substances like explosives, deflagration of gas-air mixtures). These have to be determined for different sources (transport by streets, water, logistics center, and for industrial facilities) and materials like liquefied hydrocarbon gases, flammable gases of all kinds, ammunition. If unit is designed (deterministically) against a pressure wave with peak pressure of 0.45 bar at 100 ms for safety-relevant buildings and if the resultant (accumulated) hazard frequency is below 10 -5 per year, then no probabilistic considerations are necessary. Otherwise, bounding or detailed assessments have to be performed.

- External flooding: The determination of the frequency of exceedance vs. amplitude curve according to the methods supplemental [79] did follow KTA 2207 [82]. The 2015 update [76] remains within the general scope of KTA 2207 and recommends using statistical extrapolation from measured data, while including influences relevant to flooding (e.g. precipitation, thawing, blockages, tide, dyke breaks, wave height, etc.). External flooding can be screened out, if site level flooding is practically excluded due to the site topography and plant design for a flooding event caused by a 1.5 times higher water runoff flow than assumed for the design basis flood (for inland water sites) or a 1 meter higher flood level (for sites at the sea or in the tidal influence zone). Otherwise, at least a bounding assessment has to be made, which determines in addition to the frequency of exceedance also the conditional failure probability of flooding protection barriers and measures. If this conditional probability is less than 10-2 and consequently, CDF for flooding is significantly below 10-6/a, then this bounding assessment suffices. If this cannot be shown, a detailed flooding PSA is mandated. The latter has not been performed for operational German NPP.

- Earthquake: The methods supplemental [79] and its 2015 update [80] assume availability of an updated site-specific PSHA according to KTA 2201 [81]. If the intensity value of the design basis earthquake (at 10-5/a) is at VI, which is the minimal value according to deterministic requirements, then no further probabilistic evaluations are needed. If the DBE is at an intensity between VI and VII, then a simplified approach can be followed: Increase the DBE intensity by 1 and demonstrate that this beyond design earthquake is reliably controlled by the plant. If the DBE intensity exceeds VII, then a full scope seismic PSA is required.

There are no specific recommendations on how to treat combinations of hazard events in the determination of initiating events or hazard scenarios for a PSA.


IRSN/PSN-RES/SAG/2017-00019 67/142


Initiating events can be screened out or treated in a simplified bounding analysis, if it can be shown that each event contributes no more than 10% to the total sum of CDF (and hazard state frequency) and no more than 10% to the total sum of large early releases (LERF). Moreover, the contribution of all events, which are not analysed in detail, shall not exceed 20% of the overall CDF and LERF. It is further recommended to apply the same criteria to other release categories, which in conjunction with the more recent Safety Requirements [76] would include at least LRF and ERF. No numerical targets or criteria are given. However, overall CDF and LRF values of operating German NPP are in the range of several times 10-6 to 10-7 per year. In any case, contributions from scenarios not evaluated in detail should be documented and should be considered in the PSA results.

Investigations by GRS have shown that plant-specific spectra of internal initiating events are adequately bounding for most of the events included in the Safety Requirements lists [76]. However, probabilistic investigations of hazard events in addition to those explicitly named in [78] are usually not done. Instead, the design basis of the plant, the respective safety margins and low estimated frequencies of exceedance are used to justify screening out any additional hazard scenarios. There are detailed models available for internal fire and for earthquake.

As to the questions posed at the end of section 4, the following insights can be derived from the German regulation and PSA experience.

a) How should dependencies and correlations between different hazard or event scenarios be identified and quantified? There are no specific recommendations available. Usually, combinations of events are summarily screened out due to low frequency of exceedance estimations.

b) Which specific (quantitative) screening criteria should be applied to a comprehensive list of initiating event scenarios and which risk metrics would be suitable?For the quantitative screening of events, the German PSA guide defines several criteria [77] based on the actual knowledge about plant response. The following risk measures are to be compared either to the initiating event frequency or to the frequency times the conditional probability from a (conservative) bounding assessment.

a. The estimated CDF for each event contributes less than 10% to the overall CDF of the plant.

b. The sum of estimated CDF values for all events not analysed in detail contributes no more than 20% to the overall CDF of the plant.

c. The estimated LERF for each event contributes less than 10% to the overall LERF of the plant.

d. The sum of estimated LERF values for all events not analysed in detail contributes no more than 20% to the overall LERF of the plant.


IRSN/PSN-RES/SAG/2017-00019 68/142


In these cases, no detailed assessment of the event is necessary. Especially for hazard PSA, additional screening criteria are introduced in the supplementals on PSA methods [78], [80]. Basically, scenarios with an estimated CDF below 10-6 can be screened out.If the aforementioned screening criteria based on CDF and LERF contribution to overall PSA results would be complemented by some selected further PSA Level 2 criteria, particularly LRF and ERF, and cut-off frequency values would be set to below 10 -7 for a straightforward frequency screening, this could serve as a screening scheme, which is commensurate to PSA results, supports a comprehensive screening process, and evolves dynamically with the PSA model.

c) What constitutes a high impact/low probability event and how can these event scenarios be identified effectively?German PSA regulations do not specifically address high impact/low probability events, and German PSA experience cannot provide examples for the identification of such events in initiating event screening. This applies in particular to hazard event PSA, which is often confined to boundary assessments for beyond design basis events of one specific hazard impact without consideration of event combinations. However, using Level 2 criteria based on release category metrics as required in the PSA guide [77] for LERF and as recommended for additional release category measures would in principle allow for systematically retaining such high impact/low probability scenarios in the scope of the PSA. In German PSA practice, Level 2 screening criteria are usually not employed.

d) How can a maximum impact be defined for hazards?There are no specific recommendations on the definition of a maximum impact for hazards in the German PSA regulations or practice. In some instances, like e.g. external flooding due to topology, maximum impacts can be derived by showing that higher impacts are practically excluded.

e) To what extent should the identification process for initiating events for the purpose of a PSA utilize the deterministic classification by levels of Defense in Depth (division into anticipated operational occurrences, design basis accidents, and design extension conditions)?This distinction is not applied in the PSA screening process in the German experience. However, a cross-check with deterministic PIE lists as e.g. tabulated in the German Safety Requirements [76] is seen as commendable.

f) Which approaches to bounding analysis are suitable for an extended PSA and upon which criteria can a detailed probabilistic investigation and modelling be omitted?In German PSA experience, bounding analyses are an integral part of the screening process based on CDF values. Particularly for hazard impact events, bounding estimates of conditional CDF are made for justifying that no detailed PSA analysis is necessary. This should be complemented by screening and bounding analysis on Level 2 criteria. Regarding the criteria for bounding analysis, see under b).


IRSN/PSN-RES/SAG/2017-00019 69/142


5.2.7 HUNGARY

The Hungarian practice on initiating event selection is generally in compliance with the methodology elaborated by the IAEA (as summarized in section 5.1.1). However, a short description is given hereby of the specificities of the Hungarian approach accompanied by some details on external hazard selection.The requirements on nuclear safety for Hungarian nuclear powers plants are described in the Hungarian Nuclear Safety Codes. Volume 3 contains design requirements for operating plants, 3.a for new units. Amongst others, the most important internal and external hazards that shall be taken into consideration during the justification of the design and safety are listed in these volumes of the Codes. According to the Nuclear Safety Codes, all those initiating events shall be addressed in the PSA for which it cannot be justified with other methods that they are negligible from a risk point of view.Regarding the Hungarian practice of PSA development for external events, in the first step of selecting external hazards that require detailed analysis, an attempt was made to develop a comprehensive list of potential site specific external hazards. At first a review was performed of regulatory requirements nationally and internationally. Relevant requirements of the Hungarian Nuclear Safety Codes and WENRA reference levels enabled to determine the vast majority of potential external hazards. In addition, use was made of the following documents to identify the initial list of potential external hazards:

1) the stand-alone volume of the joint ANS-ASME PRA standard that sets forth probabilistic safety assessment methodology for external hazards [34],

2) a guidance document of the Swedish nuclear safety authority that builds upon the Finnish and Swedish external hazard assessment experience [71],

3) the Specific Safety Guide of the International Atomic Energy Agency on level 1 PSA [4].In the Hungarian practice a successive approach is applied with combined deterministic and partially probabilistic screening of all the potential external hazards to identify the risk significant ones that need detailed analysis to quantify the plant risk.During screening by relevance the external hazards considered applicable to the site were selected as initiating events. The following aspects were taken into consideration in this screening step:

1) The event is of equal or lesser damage potential than the events for which the plant has been designed.

2) The event has a significantly lower mean frequency of occurrence than another event, taking into account the uncertainties in the estimates of event frequencies, and the event could not result in worse consequences than the consequences from the other event.

3) The event cannot occur close enough to the plant to affect it.4) The event is included in the definition of another event.

On the basis of the conditions listed above, the criteria applied in screening by relevance were the following:

1) Distance: The event cannot occur close enough to the plant to affect it.


IRSN/PSN-RES/SAG/2017-00019 70/142


2) Frequency: The occurrence frequency of the event is justifiably less than a given threshold (see below).

For impact screening the following two criteria were applied:1) Severity: The effects of the event are not severe enough to cause damage to the plant, since

it has been designed for other loads with similar or higher strength.2) Predictability: The event is slow in developing, and it can be demonstrated that there is

sufficient time to eliminate the source of the threat or to provide an adequate response.The quantitative screening criteria of initiating events to be considered during design are set in the conditions for safety-based design prescribed in the Nuclear Safety Codes. The following anticipated initiating events may be excluded from further analysis:

a) internal initiating events due to the failure of systems, structures or components, and/or human errors, if the occurrence frequency is less than 10-5/a for operating nuclear power plants and 10-6/a for newbuilds;

b) events induced by man-made external events applicable to the site, if the occurrence frequency is less than 10-7/a (both for operating and new units), or if it can be justified that the man-made hazard will not have an adverse effect on nuclear safety based on its distance from the plant;

c) natural external events with the occurrence frequency less than 10-4/a for operating units and 10-5/a for newbuilds.

According to the nuclear safety regulations, the risk from natural external hazards beyond the design basis shall be assessed at least in the hazard frequency range of 10 -7 to 10-4/a. Therefore, probabilistic safety assessment of external hazards has to be performed unless it can be shown that the design basis of the plant ensures that the plant can withstand the loads induced by a hazard with 10 -7/a frequency.To the extent available meteorological data and data assessment methodologies make it feasible, the Hungarian practice aims to take into consideration reasonably justifiable combinations of hazards that require detailed analysis.

5.2.8 JAPAN

Atomic Energy Society of Japan discussed the approaches for selecting an appropriate risk assessment method for the external events after Fukushima Dai-ichi accident [97], and published "Implementation Standard Concerning the Risk Assessment Methodology Selection for the External Hazards" [98] in 2014]. Since there are various kinds of external hazards that are potentially assumed at nuclear sites in Japan, this standard defines systematic identification process for the external hazards, including both natural and man-made hazards, and the approaches of selecting an appropriate evaluation method for


IRSN/PSN-RES/SAG/2017-00019 71/142


each external hazard as shown below. In this approach screening of hazard is included in Step 2 and Step 3.

Step 1: Collection of informationInformation necessary to assess the plant concerned shall be collected. Plant walk-downs shall be performed to grasp the current facility installation situation.Information includes such as the plant design and safety evaluation documents, meteorological records of the surrounding area, facility installation status and legal restrictions concerning aircraft and/or vessel route that are necessary in the evaluation.

Step 2: Identification of potential external hazardsThe external hazards that may affect the plant concerned shall be identified. In order to identify the external hazards to be concerned, the standard prepares the list of various kinds of hazards. While individual external hazards are addressed in ASME/ANS Standards [54], [56], IAEA NS-R-3 [20] and IAEA SSG-3 [4], it is still necessary to identify the characteristics of the external hazards specific to Japan including their form of occurrence and the mechanism of their effects. Literature survey was conducted on all external hazards that were experienced in Japan to identify all potential external hazards that may have some impacts on nuclear power plants.After identifying individual hazards, all theoretically possible combinations of hazards to be taken into account were also examined to complete the list.

Step 3: Classification by characterizationThe external hazards shall be classified in accordance with the characterization criteria to assess the plant concerned.1) Selection of characterization factor

There are three factors associated with frequency of occurrence and impact on the plant. In performing the analysis of an external hazard, one of following three factors has to be focused on. Factor 1: "Occurrence"Choose this factor for a hazard whose occurrence frequency is assumed extremely lowFactor 2: "Arrival (distance and progression time)"Choose this factor for a hazard which may occur but whose effects is assumed not to reach the plantFactor 3: "Impact on the plant"Choose this factor for a hazard whose effect may reach the plant but is assumed to have no significant impact on the plantAs for the frequency of the combined external hazards, hazard occurring most frequently among those composing a combined event should be considered.

2) Characterizations


IRSN/PSN-RES/SAG/2017-00019 72/142


Each external hazard shall be characterized in light of the factor above-mentioned and the characterization criterion indicated below. An external hazard consistent with at least one characterization criterion is determined to have no risk of core damage and screened out. If not, go to Step 4.Historical records of hazards in the areas surrounding the plant location identified in the licensing and/or periodical safety review should be used in the characterization.When Factor 1 is selected, "The hazard frequency" will be evaluated.Criterion 1: The frequency of the hazard is apparently extremely low.When Factor 2 is selected, either "The distance between where the hazard occurs and the plant" or "The hazard progression time" will be evaluated.Criterion 2: No hazard occurs in the proximity of the plant to have any impact.Criterion 3: Time scale for hazard progression is sufficiently longer than the time required to take countermeasures for the plant.When Factor 3 is selected, "The effects to the plant" will be evaluated.Criterion 4: It is apparent that no hazard, assuming it has reached the plant, will cause any initiating event leading to core damage.

Step 4: Selection of Quantitative Risk Assessment MethodThe most suitable risk evaluation method shall be selected, considering characteristics of hazard and its effect, such as frequency, consequence and accident scenario or management. The possibility of simultaneous occurrence of multi-hazards is also considered to evaluate in the quantitative evaluations.1) Risk assessment based on the hazard frequency analysis or hazard impact analysis

This assessment is performed when the concerned external hazard may be determined to have no significant risk of core damage as the result of a quantitative evaluation of its frequency or effects to the plant without taking into account any accident management after such hazard has impacted the plant.This kind of risk assessment may be potentially applicable to the hazards of “high wind” and/or “atmospheric pressure change” in Japan.

2) Safety margin evaluationSafety margin evaluation is performed when it is necessary to take into account all accident scenarios after an external hazard has impacted the plant but it is difficult to perform hazard frequency evaluation or when the uncertainty associated with the frequency is significantly high. It is considered to evaluate the safety margin for the core damage risk against external hazard, and if evaluated safety margin exceeds a reference value, the hazard is determined to have no significant risk of core damage.Safety margin evaluation may be potentially applicable to the hazard of “tsunami” in Japan.

3) Deterministic CDF evaluation


IRSN/PSN-RES/SAG/2017-00019 73/142


This risk assessment is performed when it is necessary to take into account all accident scenarios after the hazard has impacted the plant and hazard frequency evaluations can be performed. The Conditional Core Damage Probability (CCDP) of the plant caused by the hazard is evaluated by the postulated initiating event with effects to the SSCs having safety functions. In calculating the CCDP, a bounding analysis or conservative analysis can be performed using the PRA models for internal events. Core Damage Frequency is calculated by multiplying the CCDP by the frequency of the external hazard exceeding the level at which the plant may be affected. If the evaluated CDF is lower than a reference value, the hazard is determined to pose no significant risk of core damage. This risk assessment may be potentially applicable to the hazards of “volcanic ash fall” in Japan.

4) Detailed risk assessment such as PRAExternal hazards determined to have a significant risk as the result of any one of the preceding evaluations specified in 1) through 3) shall be subject to detailed risk evaluation applying such method as Probabilistic Risk Assessment (PRA). Although it is desirable to apply the PRA to all of those external hazards, deterministic evaluations and/or evaluations based on engineering judgment can replace PRA for some hazards in case complex accident scenarios or combined events are to be considered for which no advanced evaluation technique is available.PRA may be potentially applicable to the hazards of “earthquake” and/or “tsunami” if possible in Japan.

5.2.9 LITHUANIA

The Lithuanian practice on initiating event selection is in accordance to the methodology elaborated by the IAEA (see section 5.1.1). While performing, updating, revising and applying PSA, to the extent not contradict to these requirements and other legal acts of the republic of Lithuania, it is recommending to follow good practise documented in IAEA specific safety guides:1. Development and Application of Level 1 Probabilistic Safety Assessment for Nuclear Power Plants, SSG-3, Vienna, 2010;2. Development and Application of Level 2 Probabilistic Safety Assessment for Nuclear Power Plants, SSG-4, Vienna, 2010.Although, the specific features of the PSA related requirements used or under the development in Lithuanian is described below. The large part of the description is focusing on the external hazard consideration.In Lithuania analysing the all NPP operational states and considering uncertainty, a NPP unit at all stages in the lifetime of NPP shall meet the following probabilistic safety criteria:1. core damage frequency shall be less than 10 -5/a, taking into account all the internal events, internal hazards and external hazards;2. core damage frequency shall be less than 10-6/a, taking into account all the internal events only (internal hazards and external hazards are excluded);


IRSN/PSN-RES/SAG/2017-00019 74/142


3. large release frequency shall be less than 10-6/a, taking into account all the initiating events;4. large early release frequency shall be less than 10-7/a, taking into account all the initiating events, which could lead to large early release.Thus, one of PSA objectives is to assess the probabilities and consequences of external hazards. NPP unit shall be designed and operated so that the likelihood of occurrence of an accident with serious radiological consequences is low as reasonably achievable and that the radiological consequences of such an accident would be mitigated to the fullest extent practicable.PSA shall be performed for all the potential sources of radioactive release in NPP (e.g. reactor core, spent fuel pool), which could lead to release from NPP to the environment exceeding the normal NPP operational limits established by legal acts and (or) normative technical document. PSA shall be performed for all operational states of the NPP.During PSA, a comprehensive list of initiating events shall be made by applying a systemic approach. The list of initiating events (malicious acts is excluded) for all NPP operation states shall include internal events, internal hazards and external hazards, that could lead to core damage and (or) release to the environment. The list shall also include the possible combinations of events and common cause failures. The list of initiating events shall include events of very low frequency with potentially significant consequences on the NPP safety (for example, rupture of reactor vessel). Removal of the events from the list of initiating events subject to detailed analysis shall be justified and documented.Internal events, internal hazards and external hazards shall be analysed (assessed) and modelled in a detailed PSA model. PSA model can be divided into the models of full power, low power and shutdown operation.PSA shall be based on realistic modelling of NPP response to initiating events using data relevant for the NPP design, and taking into account NPP personnel action to the extent assumed in NPP operating and emergency response procedures.At all the stages in the lifetime of NPP, PSA shall be performed taken into account to the NPP operation limits and conditions, maintenance, including tests and repairs. A regularly updated, corresponding to the current NPP design, documented, verified and approved, full-scope (internal events, internal hazards and external hazards, all the NPP operation states) PSA model shall be used for PSA applications. A justification is necessary if the full scope PSA model is not used for PSA applications. Human reliability analysis shall be performed, taking into account the factors, which can influence the performance of the NPP personnel in all NPP states.Contribution of the groups of initiating events, which are grouped according the same or very similar characteristics (i.e. accident progress after the initiating event, NPP response to the initiating event), to the core damage frequency (hereinafter – CDF) and to the large radionuclides release frequency (hereinafter – LRF) and large early radionuclides release frequency (hereinafter – LERF) shall be provided as part of the PSA documentation. Contribution of each initiating event to the CDF and contribution of plant damage states (hereinafter – PDS) (or initiating events) into the radionuclides release category (hereinafter – RC) shall be provided as part of the PSA documentation.


IRSN/PSN-RES/SAG/2017-00019 75/142


In Lithuania PSA should be used for various applications, for instance to identify vital NPP areas. This covers identification of the safety important SSCs and assessment of their impact on the NPP safety, even assuming that initiating events are the result of malicious act.

Initial list of external eventsThe specific attention to the external events was in the analysis of site selection for new NPP as frequency and impact of initiating event depends on geographic position of nuclear power plant, geological and meteorological conditions of the region, and concentration of industrial and military objects in the region, different kind transport intensity and other human activities.Before defining an initial list of initiating events, which may influence common NPP risk, all possible NPP hazardous events should be analysed. General list of such events is recommended in IAEA regulating documents and NRC guides (e.g. NUREG/CR-2300 [106]) designed for performance of probabilistic risk assessment. Initiating events, which obviously do not influence NPP safety, are not included into the list and the list of initiating events is divided into two groups – natural forces induced events and external events related to the human activity.Research of external events impact on safety of NPP and other nuclear objects is carried out similarly as research of internal initiating events impact on safety. After determining frequency of external event, the biggest possible damage, induced by the event on power plant or systems, is defined. The impact of certain events on power plant safety level is analysed separately or it is included as an initiating event into corresponding deterministic or probabilistic models of NPP.

General screening criteriaIn order to distinguish the external events, the impact of which on safety is the most significant, event selection criteria, defined in PSA performance procedures (based on NUREG/CR-2300 [106]), are used. External events are not included into further analysis if they do not meet any of the following criteria:

Criterion 1. Events, which are determined during design of power plant and included into analysis of design accidents or are analogous to mentioned events, but less hazardous;Criterion 2. Event frequency is significantly smaller in comparison to frequency of other events which have similar outcomes or its outcomes are less hazardous than that of mentioned events;Criterion 3. Event cannot occur fairly close to NPP to influence its safety;Criterion 4. Event is included into the definition of other event;Criterion 5. The sequence of event development is very slow and there is enough time to eliminate a hazard source or to prepare necessary security actions.

Application of criteria reduces probability that factors important for general risk may be omitted and enables to reduce the number of initiating events, which will not be used in detailed analysis on NPP safety.

Criteria for combinations


IRSN/PSN-RES/SAG/2017-00019 76/142


The criteria for selection of events (hazards) combinations were related to the consideration of these conditions:1. More general definition of events.Several external events are included in a more general definition of event.2. Events interdependence.Base for the definition of important external events (their combinations) is whether they are dependent or not.3. Different safety functions of NPP are affected.If condition 2 is satisfied, then other condition is considered: whether different NPP safety functions are affected. If events in combination affect the same function, the condition 4 has to be applied.4. The degree of impact on NPP safety functions.If two dependent external events affect the same safety function, these events still might make an important combination. The effect in combination may be more severe than effect of separate events.5. Individual external events criteria.If a combination is judged to be important even after the application of all the above rules, then individual external events criteria has to be applied for the combination as well.

For the considered combinations of independent events (hazards), one could obtain probabilities of those combinations. If events in combination are independent, then probability that they will occur at the same time is equal to the product of each event probabilities. Larger number of independent events in combination and more severe consequences of events with small frequencies lead to the smaller combination annual frequency (becomes closer and closer to the incomparable values, which due to errors may be considered as equal to zero). Annual frequency of combination of dependent or partially dependent events is higher than what one would obtain if independence is assumed.

As mentioned above in Lithuania the IAEA methodology and international best practice is mainly used. According to the IAEA, combinations of hazards may be excluded from the analysis, if they satisfy the following conditions:

Hazards combination is not physically possible. Hazards in combination does not have any different joint effect on NPP; The annual frequency of hazards combination is equal to or less that a threshold.

It is important to note that, as mentioned in various literature, some individual hazards (phenomena) already are combinations of hazards, so that analysis of such compound already cover analysis of individual hazards. Once combinations of such external hazards are made and when dependencies and influences are established, one can apply previously defined criteria in order to select unimportant combinations of external hazards. Such analysis may depend on site and NPP design characteristics and is performed at the stage, when information necessary to assess the effect of combination is known.


IRSN/PSN-RES/SAG/2017-00019 77/142


5.2.10 ROMANIA

The general requirements for development and applications of PSA study level 1 and level 2 are established by the PSA study norm, issued by National Commission for Nuclear Activities Control (CNCAN) in 2006. Concerning PSA development, the following is stated [46]:

- all initiating events relevant for the plant, including internal fires, internal flooding, seismic events and severe weather conditions shall be considered in the PSA. PSA shall be developed for all plant operating modes;

- the initiating events can be grouped according to their consequences on performance of the safety functions. Initiating event grouping and the assumptions used for this purpose should be documented and justified;

- any exclusion of initiating events has to be justified, considering both the frequency of occurrence and their consequences.

The design basis events shall include operational anticipated events, transients and accident situations, considering all sources of radioactive releases (including content and form) from which accidental releases could be postulated.Identification of postulated initiating events shall be made in a systematic way, based on the NPP’s conceptual design evaluation, operating procedures and site specific potential external influences. The list of selected events shall include all failures or credible malfunctions of components and systems, including those due to human errors, common cause initiating events and external events (both natural and human induced), which can affect the nuclear safety. The design basis events shall cover the following generic categories of events [47]:

a) initiating events together with all their consequences;b) credible combinations of process systems failures together with all their consequences;c) credible combinations of internal initiating events and external events together with all

their consequences;d) credible combinations between events from the above categories and failures or

unavailabilities of systems and equipment whose action can mitigate the consequences of these events.

In defining the design basis events from accident category, those events (and their credible combinations) having the most severe consequences on the fulfillment of the safety functions, respectively on each important parameter for fulfillment of safety functions, will be selected. The selection of design basis events shall be justified and supported by deterministic and probabilistic analyses. Any exclusion from the design basis analysis for protective systems of some events or combinations of events having a frequency of occurrence greater than 1.E-07/a, shall be justified.


IRSN/PSN-RES/SAG/2017-00019 78/142


Even if some external events, considered individually, could have been excluded, all their credible and relevant combinations should be considered in the nuclear safety analysis. Such combinations could include two or more external events, and combinations between external events and internal events (as for instance a LOCA event combined with a seism), or between external events and man-induced events. The succession of events and the combination of events having causal interdependencies, as the combinations of independent events, having individual high occurrence frequencies, should be considered.A design basis external event could be an individual events or a combinations of independent external events or causally dependent. For each design basis external event, the target value for annual probability should be lower than 1.E-04/a [89]. In order to derive a comprehensive list of events to be considered for Cernavoda Units 1 and 2, a review of CNSC regulatory documents and guides, IAEA guides, ANSI/ANS standards, and US NRC documents and IPEEE experience has been performed.The internal events list includes failures of SSC, human errors and potential consequences of equipment failures.The external events are divided into natural and human induced events. As natural external events, the following are specified: seismotectonic events; geological events (landslides, ground settlements and collapse); hydrologic events; meteorological events (extreme temperatures; rainfalls; extreme wind; tornados; lightning; drought); biological events; fires in vicinity of the site [47], [89].

The human induced events include: aircraft crash; events due to activities in vicinity of the site (missiles, gases, fires, explosions); electromagnetic interference; fires on the site [47].

As quantitative safety objectives, the following acceptance criteria on the effective dose vs. frequency of the PSA Level 3 scenarios (event) are used [47]. The calculation of effective dose assumes the most exposed person who is situated outside the exclusion zone of the plant and impacts are integrated over 30 days after initial accident release and over all exposure pathways:


IRSN/PSN-RES/SAG/2017-00019 79/142


Event Group Effective dose (for the most exposed person, situated outside the exclusion zone, at 30 days after emission, calculated for all paths of exposure)

Total annual frequency for events that could induce these effects

Group no. 1 0.1-1 mSv <1.E-2Group no. 2 1-10 mSv <1.E-3Group no. 3 10-100 mSv <1.E-4Group no. 4 100-250 mSv <1.E-5Group no. 5 250-500 mSv <1.E-6Group no. 6 >500 mSv <1.E-7

The preliminary screening criteria, established in accordance with internationally recognized standards, consist of the following (any one of these criteria is considered to be sufficient to screen out the event) [48]:

The event is of equal or lesser damage potential than the events for which the plant has been designed. This requires an evaluation of plant design basis in order to estimate the resistance of plant structures and systems to a particular external event.

The event has a significantly lower mean frequency of occurrence than another event taking into account the uncertainties in the estimates of both frequencies. The event in question could not result in worse consequences than the consequences from the other event.

The event cannot occur close enough to the plant to affect it. This criterion must be applied taking into account the range of magnitudes of the events considered.

The event is included in the definition of another event. The event is slow in developing and it can be demonstrated that there is sufficient time

to eliminate the source of the threat or to provide an adequate response.

The initiating events can be grouped according to their effects on the safety functions affected by their occurrences. If more protective systems contribute to the recovery of the respective safety function, the initiating events can be grouped according to the expected response of the protective systems.The initiating events have to be grouped in such a way that all events in the same group impose essentially the same success criteria on the front line systems as well as the same special conditions (challenges to the operator, to automatic plant responses, etc.) and thus can be modelled using the same event/fault tree analysis.

After the Fukushima Daiichi accident, a complex safety review of the protection against external events for Cernavoda NPP was undertaken in the context of the European "stress tests". The natural and man-made external hazards analysed for the Cernavoda site included the following: earthquake,


IRSN/PSN-RES/SAG/2017-00019 80/142


flooding, extreme temperatures, high winds, lightning, low Danube level, snow fall, explosions and releases of toxic and explosive gases, fires, missiles, aircraft crashes [48].

As part of the “stress test” assessment, a screening and bounding analysis for Cernavoda NPP response under severe weather conditions has been performed.

5.2.11 RUSSIA

The main regulatory basis of the IE identification procedure, as well as for other PSA technical elements is RB-032-04 “Main recommendations on NPP PSA execution” (issued in 2004) with basic requirements for performing probabilistic safety assessment; and NP-064-05 “Accounting of impact of natural and man-made external hazards on nuclear facilities” (issued in 2006). The following screening criterion is established in NP-064-05: all external hazards with frequency equal or more than 10 -6 1/a should be accounted in nuclear facility design.Approach for development of External Hazards PSA for Russian NPP (in the frameworks of SWISSRUS project) was in line with IAEA recommendations, taking into account national regulations. To develop plant-specific list of hazards an extensive review of information for Plant-Unique External Hazards was fulfilled (plant layout and design documentation; site meteorological and hydrological information; data on potential sources of external events including their location, content of hazardous materials, location of air ways and airports within 50 km from site) and the screening walkdown performed. For screening purposes the following screening criteria were used:Qualitative Screening Criteria(A) The event cannot occur close enough to the plant to affect it.(B) The event is included in the definition of another event(C) The event is slow in developing and there is sufficient time to eliminate the source of the threat or to provide an adequate response. The criterion C was used to screen out such events as drought, river diversion, loss of coolant lake, soil shrink, low winter temperature.

Quantitative Screening Criteria(D) The event either has a very low (<1E-6/a) mean frequency of occurrence or has a significantly lower mean frequency of occurrence than other events with similar uncertainties and could not result in worse consequences than those events. The uncertainty in the frequency estimate for the excluded event is judged as not significantly influencing the total risk.(E) The event is of equal or lesser damage potential than the events for which the plant has been designed or the event severity required to affect the plant has a frequency less than about 1E-6/a.

Bounding analysis for non-screened events was based mainly on assumption that core damage conditional probability given a hazard with high magnitude is equal to unity.


IRSN/PSN-RES/SAG/2017-00019 81/142


5.2.12 SWEDEN

The Swedish Radiation Safety Authority (SSM) publication SSMFS 2008:1 provides SSM regulations and general advice concerning safety in nuclear facilities.

With this SKI report 2003:48 (in Swedish) [108] is used as 'PSA Review Handbook' and provides requirements on the performance of PSAs, as well as control of the PSA activities of the licensees. This review handbook presents important aspects to be considered when judging whether a licensee fulfils the requirements on PSA activities, including the performance of PSA's or PSA applications. The handbook is also guidance for the review of PSAs; however it is not a handbook for how a PSA is performed. The PSA review handbook is applicable to all types of initiating events and all operating conditions, and has been structured in a way, which stresses the integrated characteristics of PSA in the creating of the risk picture of a plant.

In Sweden initially, initiating events were defined independently within each PSA, based on IEEE and IAEA lists. As a part of the project SUPER-ASAR (As-operated Safety Analysis Report) (in Swedish), SKI Technical Report 90:3, 90:4, a common classification of initiating events was developed for all BWR and all PWR. This classification was also required in order to make possible a common approach towards the analysis of transient data, and ultimately resulted in the development of the 'I-Book' (SKI Report 94:12, 2nd edition – in Swedish [107]), presenting frequencies of initiating events. However, I-Book is not utilised the way it was supposed to be used by PSA practitioners.

The method for the analysis of external events was developed as a part of the ASAR 90 programme. The aim of the project was to evaluate the state of the art within the field of external events and to propose an analysis approach (excluding seismic events). The work concerning 'selection of relevant external events' represented an overview of available methods for screening of initiating events. The recommended approach was iterative. A complete identification of potentially relevant initiating events was crucial. Thereafter, simplified frequency and consequence estimates were made in order to screen out non-critical initiators. Increasingly sophisticated methods were used for the screening of the remaining initiators, in order to arrive at a final set of relevant initiators that will be included in the PSA.

The SKI Report 02:27 (2003) “Guidance for External Events Analysis” [71] is summarised in ASAMPSA_E WP 22 deliverable D22.1 [96] and relevant summary is repeated here again. This SKI report includes four phases, addressing project planning, identification of external events, screening of events, and probabilistic analysis. The aim is first to do as a complete identification of potential single and combined external events as possible. Thereafter, as many external events as possible are screened out as early as possible. This documents aims at creating a common framework for analysis of external events as part of Probabilistic Safety Assessment study for a nuclear power plant. The guidance does not cover seismic events or events originating from acts of sabotage or terrorism.


IRSN/PSN-RES/SAG/2017-00019 82/142


The main elements presented are as follows:

The procedure for the identification of a complete set of potential single external events is described, using a categorization of external events in accordance to main group, cause of event (air based, ground based, water based) and relevant deviations. An additional classification of events into natural and man-made external events is made.

A procedure for the identification of a complete set of potential combined external events is given, together with the used selection criteria (definition of events; different safety functions affected; degree of impact on plant safety functions; single external events criteria).

The main screening criteria are presented and their use is described with some examples. A

relevancy screening should be performed, to obtain a list of site relevant external events. Afterwards, to obtain a list of potential plant relevant external events, an impact screening should be performed (when the maximal strength imaginable at the site will not even have a minor effects on the plant structures cooling, electrical transmission or on the plant operation, the event should be eliminated). The deterministic screening eliminates such plant relevant external events, either single or combined, which do not cause any initiating event modelled in PSA and loss of safety systems needed after the initiating event. The aim of probabilistic screening is to evaluate which events represent an acceptable risk.

An introduction to some deterministic analysis methods that use analysis experience data for external event, and data sources discussion is given.

The information needed on plant response to the external events remaining after the impact screening is defined and a work procedure for performing a plant response analysis is given.

The modelling and quantification of external events using an internal events PSA model is described, as well as how a PSA model can be used in order to estimate the importance of a specific external event.

Concerning human activities, it is stated that if they are performed within the relevant surroundings, they may impact the plant via man-made external events. The natural environment may impact the plant itself directly or by affecting man-made activities, the site or other plants on the site.

The plant response information regarding an external event consists of relevant design characteristics, concerning plant characteristics, and protective or mitigating human interactions. The analysis must decide what kind of impact the external events will have on the plant, and how the plant is protected against the impact. The protection may include both structural characteristics, characteristics of active or passive safety functions and protective or mitigating human actions, as defined in safety and operating procedures.


IRSN/PSN-RES/SAG/2017-00019 83/142


5.2.13 SLOVAKIA

The UJD SR decree “Safety documentation of nuclear installations” [29] and UJD SR guideline on “Application of PSA methodology in the regulatory process” [30] are main documents, which formulate general approach and utility obligations to the PSA.The UJD SR recognizes the PSA methodology and requires performing internal event level-1 and level-2 PSA for full power, low power and shutdown operational states for any plant in the site (including internal fires and floods). If relevant, external hazards (as seismic event, extreme temperature, aircraft crash, etc.) must be incorporated into the assessment.

5.2.14 SLOVENIA

The Regulation JV 9 [31] sets requirements for preparation of the Probabilistic safety analyses: Article 40 specifies the application of PSA in assessment of modifications, Article 49 requires PSA model and all necessary data to be provided to the regulator, Article 50 describes the required content of the PSA, Article 51 defines the requirements considering PSA quality and maintenance, Articles 52 and 53 specify the scope and applicability of PSA results.Article 50 of the Regulation JV 9 [31] states that probabilistic safety analysis shall cover:1. all the relevant operational modes of the facility; in the case of a nuclear power plant, these operational modes include, in particular, modes ranging from refueling and operation at low power levels up to the full power operation; 2. all the relevant initiating events and potential hazards, including fire, flooding, severe weather conditions and seismic events;3. all the relevant dependencies, including functional dependencies based on the physical location of components and common cause dependencies;4. an analysis of uncertainties and sensitivity analyses of a level 1 probabilistic safety analysis, and a sensitivity or uncertainty analyses of a level 2 probabilistic safety analysis;5. analyses of human reliability, taking into account the factors which can influence the performance of the operators and other personnel in all the analysed plant operational modes.For the review of the nuclear power plant Krsko PSA within the second periodic review [32] the ASME RA-Sb-2005 [33] for internal events and ANSI/ANS-58.21-2003 [34] for external events including seismic were applied.The ANSI/ANS standard [34] requires that potential external events that may affect the site shall be considered and shall be subjected to either screening, bounding demonstrably conservative analysis, or detailed analysis. The ANSI/ANS standard requires for demonstrably conservative analysis to be performed using defined quantitative screening criteria. The ANSI/ANS standard requires for a walkdown of the plant and its surroundings to be performed as a basis for the screening out of an external event. The ANSI/ANS standard also requires for documenting the screening out of an external event in a manner that facilitates applying the PRA and updating it and that enables peer review.


IRSN/PSN-RES/SAG/2017-00019 84/142


Finally, it should be noted that new revision of regulations JV5 [57] and JV9 [38] have been prepared in draft form in December 2015 for public hearing. Both draft regulations follow the newest WENRA RL for operating reactors [11]. Per draft JV9 proposal [38] the scope of PSA analyses should include fuel in the core and in the spent fuel storage (WENRA RL O1.1). Regarding natural hazards the whole WENRA issue T was adopted in the proposed draft of JV5 [57]. The proposed exceedance frequencies of design basis events shall be low enough. A common target value of frequency, not higher than 10-4 per annum, is proposed to be used for design basis event (individual natural hazards or combinations of hazards).

5.2.15 SWITZERLAND

The national practices strictly conform to the ENSI (Swiss authority) requirements set forth in the Swiss guideline ENSI-A05 [40] as follows.Earthquakes, extreme winds, tornadoes, extreme floods and aircraft crash are required to be analysed in detail and must be incorporated in PSA, regardless of the estimated frequency of the potential initiators, cf. sections 4.6.2-4.6.6 of [40].

All other external events need not be incorporated in the PSA models when either one of the following conditions is met (screening criteria):

- It is possible to justify qualitatively that the potential risk (in terms of frequency of core damage) contributes only marginally to CDF/FDF14 (e.g. in case when the impact on the facility does not invoke the activation of safety systems or the consequences are covered by accidents having significantly higher initial frequency of occurrence).

- A quantitative assessment demonstrates that the potential contribution to CDF/FDF is not expected to exceed the value of 10-9/a.

This is done using the conditional probabilities of core damage or fuel damage from internal initiating events that have similar consequences or impact on systems and components as the external initiating event under consideration, multiplied by the estimated frequency of occurrence of the external initiating event.

5.2.16 UNITED KINGDOM

High-level regulatory expectations on screening for PSA are defined in ONR’s Safety Assessment Principles (SAPs) [10], specifically SAPs

14 The ENSI-A05 [40] differs from the ASAMPSA_E recommendation in D30.5 [87]. CDF relates to fuel damage in the core during full power operation while FDF relates to fuel damage during non-full power operation for fuel in the core or the SFP.


IRSN/PSN-RES/SAG/2017-00019 85/142


- FA.2 “Fault analysis should identify all initiating faults having the potential to lead to any person receiving a significant dose of radiation, or to a significant quantity of radioactive material escaping from its designated place of residence or confinement.” [10], p. 136,

- FA.12 “PSA should cover all significant sources of radioactivity, all permitted operating states and all relevant initiating faults” [10], p. 141, and

- FA.13 “The PSA model should provide an adequate representation of the facility and/or site.” [10], p. 141.

Important requirements include [10], p. 141f,- “Screening criteria used to exclude low frequency faults should be justified.”- “The identification of initiating faults should consider the potential for combinations of hazards.

At multi-facility sites, the analysis should also consider the potential for specific initiating faults giving rise to simultaneous impacts on several facilities or for faults in one facility to impact another facility.”

- “Where groups are used to represent several initiating faults or fault sequences, the group should be assigned a frequency equal to the summed frequency of the contributors to the group and should be represented by the most onerous one.”

More specific regulatory expectations on screening for PSA are defined in ONR’s guide on PSA NS-TAST-GD-030, Rev. 4 [36]. These include the following.

- ONR requires a PSA Level 1, Level 2, and Level 3.- “The overall risk analysis of the NPP covers all sources of radioactivity at the facility (reactor

core, fuel ponds, fuel handling facilities, waste storage tanks, etc.).” [36], p. 26- The PSA is made for all type of initiating events and hazard scenarios and for all operational

modes.- Risk measures of interest are core damage frequency for PSA Level 1 [36], p. 27 and large

release frequency as well as large early release frequency for PSA Level 3 [36], p. 63f - For initiating event identification, “all disturbances that require mitigation to prevent core

damage and those that lead directly to core damage [are addressed]” [36], p. 27- Regarding grouping, “The process for grouping initiating faults is clear, i.e. the grouping

criteria and the mapping to derive the final initiating fault groups are transparent.” [36], p. 28. The group is represented by a bounding (most onerous) scenario, which is clearly described.

- Regarding hazards screening, “[t]he approach and criteria for the screening of hazards are auditable and justified.” [36], p. 46. Applicable to the plant and reasons for exclusion from analysis are clearly explained.

- ONR’s PSA guide [36] includes further specific guidance on internal fires, internal flooding, and seismic analysis.


IRSN/PSN-RES/SAG/2017-00019 86/142


5.2.17 UKRAINE

The main regulatory basis of the IE identification procedure, as well as for other PSA technical elements is GND 306.7.02 2.048-01 “Methodology for review of the PSA attached to report on safety analysis of power units operated at NPP”. This document contains an overalls approach and acceptance criteria for regulatory review of PSA and also can be used as recommendations for PSA development.

The IE identification approach for postulated initiating events (PIE) is similar to approach presented in Section 4, with small differences in subdivision of PIE group differences. According to NP 306.2.162-2010 «Requirements for NPP safety assessment», anticipated operational occurrences are events with frequency more than 10-2/a, design basis accidents – 10-5 – 10-2/a, for BDBA and severe accidents frequencies has not been indicated.

For the PSA Level 1 purpose a blended approach, combination of top-down analysis (development of master plant logic diagram); using existent lists of initiating events; evaluation of operating experience and evaluation of plant documentation (emergency operating procedures, technical specifications, safety analysis reports, etc.) is used to develop comprehensive list of IEs. Quantitative screening criterion is only one: IE with frequency less than 10-7/a are excluded from detailed consideration.

Regarding identification of hazard, events are categorized in the following way: (1) internal hazards: fire, flood, dropped loads, etc.; (2) external (natural) hazards: earthquakes, hurricanes, floods, meteorites, lightning, etc.; (3) man-made hazards: aircraft crash, transport accidents, explosions, chemical or radioactive contamination of territory or atmosphere. The list of candidate hazards is then reduced by screening out those which: are not applicable to the site/plant; or are of negligible frequency as compared with CDF for internal IE; or have no significant impact on the plant. For man-made hazards the widespread method of screening is use of the screening distance value. An NPP is considered vulnerable to a particular external hazard if the frequency at which the external hazard can cause any plant end state to occur is significant compared to results from the Level 1 PRA of internal initiators. The frequency of an end state initiated by an external hazard is considered insignificant if: the frequency is more than a factor of 100 less than the frequency for the end state quantified in the Level 1 PRA of internal initiators; or the initiating event frequency is below 10-7/a. However, sum of end state frequencies (i.e. CDF) should not more than 10% from total CDF resulted from PSA for internal IE.

Several methods are available to support the initial identification (initial screening) of hazards. Some hazard sources are too far removed from the NPP site to pose a risk to the plant. Many risk methods include screening criteria related to the separation between a hazard source and the site (e.g., the distance between the site and industrial facilities, airports, and transportation routes). When applicable screening criteria divulge that a hazard source is too far removed from the site to pose a risk, it can be


IRSN/PSN-RES/SAG/2017-00019 87/142


concluded that NPP is not vulnerable to that hazard. So, under initial screening the following categories of criteria are used:

1) Distance from source of hazard to NPP or separate SSC at the site;2) Possible damage to NPP from hazard does not exceed the effects of the internal IE or other

event considered in the NPP design;3) External hazard is a special case of other external hazard;4) External hazard is characterized by conditions that are below the design limits;5) External influences obviously have a much lower incidence than other hazard, and cannot

lead to more serious consequences.

Some hazards can easily be assessed without recourse to detailed computations. Meteor impact is an example, since it only depends on the area of the site. For such external hazards a quantitative comparison with results from the Level 1 PRA of internal initiators will disclose whether NPP Unit 1 is vulnerable. Also it may be possible to perform bounding calculations to assess the impact of certain external hazards on NPP Unit 1. For example, if conservative blast analyses demonstrate that the shock wave resulting from an explosion at a nearby industrial facility or transportation corridor is incapable of damaging plant equipment to the point where a reactor trip occurs, it can be concluded that NPP Unit 1 is not vulnerable to the external hazard.

5.2.18 USA

The U.S. Nuclear Regulatory Commission (U.S. NRC) defines screening as ”a process that distinguishes items that should be included or excluded from an analysis based on a defined criteria.” (NUREG-2122, [101]). The U.S. NRC also supports the ASME/ANS definition of screening criteria, which is defined as “the values and conditions used to determine whether an item is a negligible contributor to the probability of an accident sequence or its consequences” (ASME/ANS PRA Standard).There are two types of screening criteria applied to external hazard PSA: qualitative screening and quantitative screening. The objective qualitative screening is to identify portions of the analysis whose potential risk contribution can be judged negligible without quantitative analysis. Qualitative screening is used during the development of a PSA model. When employing this type of screening analysis, the analyst should use approved screening criteria to eliminate potential hazard or risk contributors (i.e., scope or level-of-detail items) from the PRA.Some examples of qualitative screening criteria include (as presented in NUREG-1855 [102]):

- The contributor or hazard cannot occur close enough to the plant to affect it. Application of this criterion must take into account the range of magnitudes and frequencies of the hazard.

- Screening of contributors or hazards from a PRA based on the fact that core damage would not occur during a selected mission time (e.g., 24 hours) and core damage would not occur later, assuming no credit is taken for any compensatory measures that are implemented after the mission time is exceeded.


IRSN/PSN-RES/SAG/2017-00019 88/142


- The contributor or hazard is included in the evaluation of another hazard or event.

The objective of the quantitative screening is to eliminate portions of the analysis from further consideration based on preliminary estimates of risk contribution through the use of established quantitative screening criteria. There are specific numerical criteria and conservative analytical rules to assure that the contribution to risk is small. The numerical criteria utilize the frequency of the design basis hazard and the associated conditional core damage probability or a CDF value calculated using a demonstrably conservative analytical method for evaluating the hazard. A principle being followed in developing the screening criteria is that the qualitative and quantitative screening criteria should be consistent since their purpose is to eliminate events that are negligible contributors to risk. RG 1.200 [103] identifies screening criteria for external hazards. Prior to screening any hazard, all natural hazards and man-made events that apply to the site under consideration are first identified. A preliminary screening is used to eliminate events matching the criteria from further consideration. Further screening can be performed by using a bounding or demonstrably conservative analysis with defined quantitative screening criteria to demonstrate that the risk from some external events is sufficiently low to eliminate them from additional consideration.As stated in RG 1.200 [103]: “an event can be screened out either (1) if it can be shown using a demonstrably conservative analysis that the mean value of the design-basis hazard used in the plant design is less than 10-5/a and that the conditional core damage probability is less than 10 -1, given the occurrence of the design-basis-hazard event; or (2) if it can be shown using a demonstrably conservative analysis that the CDF is less than 10-6/a. It is recognized that for those new reactor designs with substantially lower risk profiles (e.g., internal events CDF below 10 -6/a), the quantitative screening value should be adjusted according to the relative baseline risk value”. Note that:“Use of the NRC Standard Review Plan (SRP) or design bases to show that a screening criterion is met is not an acceptable approach for screening out contributors or hazards. This is based on the fact that a quantitative assessment of a contributor or hazard that has been screened out qualitatively — based on meeting the SRP or design bases — may result in a core damage frequency that would not have otherwise allowed the contributor or hazard to be screened out quantitatively” (NUREG-1855 [102]).

Additional guidance on screening criteria is presented in NUREG-1855 [102], section 5.2.

5.2.19 OTHERS

5.2.19.1 AREVA´s External Events Screening Methodology

IntroductionAREVA´s methodology for the analysis of external events follows the results of the WENRA paper on consideration of external events for new reactors [35] and is based on the methodology proposed in [71].


IRSN/PSN-RES/SAG/2017-00019 89/142


External events are characterized as originated from outside of the plant and create an extreme environment with the potential of causing initiating events at the plant, typically a transient.Relevant external events are those events which impact the plant structures, systems or components with:

1) The potential to degrade one or more plant safety functions and, at the same time, with2) The potential to request the plant safety systems to keep the plant in a safe state or to bring

it into a safe state.The aim of the screening analysis is to identify from an exhaustive list of external events those single and combined external events which are relevant to the plant and the site with regards to their potential of affecting the plant safety via air, ground or water.To this end, the analysis involves the following steps:

1) Initial data collection,2) Identification and definition of the external events (exhaustive list) and3) Screening analysis of external events.

The scope of the present report covers the details of these steps.

Initial Data CollectionThe first step consists of the collection of relevant information. This step provides the input information for the screening analysis for the identification of potentially relevant external events to the plant and to the site. The required data involve site specific and generic experience and information on specific external events and their consequences, such as topography of the site, historical information on occurrence of external hazards and design features of the plant to cope with the external events.

Identification of Potential External Events and EffectsThe second step involves the identification of a complete set of single and combined external events.

Identification of Potential Single External EventsThe identification of potentially relevant single external events results in a list of events that constitute the input to the external events screening analysis.The list should be as exhaustive as possible. The following sources provide the main inputs in the compilation of the list of external hazards:

- RHWG Position Paper on safety of new reactors [35],- SKI Report 02:27 [71],- IAEA Safety Standards (see [60], [72], [61], [73], [22]),- NUREG/CR-5042 [74].

Grouping the various types of external events is useful for structuring the information presented, and makes it possible to perform a tentative completeness check of the events identified, (e.g., the external events can be grouped into air, ground, or water related events and/or into natural events (e.g. various extreme weather conditions) and man-made events (e.g., airplane crash, gas explosion).


IRSN/PSN-RES/SAG/2017-00019 90/142


Note that each event is classified only into one event group, even if it has characteristics from more than one group.

Identification of Combined External EventsThe identification of combined external events is based on the analysis of potential single external events. The entire list is used.Generally, a combination of external events is considered to be relevant, if the combination has either a higher degree of severity or additional effects on the plant compared to those of the single event. Typically, a combination of hazards involves natural events (e.g., heavy wind and high sea water level). However, combinations of natural and man-made events are also possible and cannot be excluded beforehand (e.g. increased risk of ship accidents during heavy weather conditions).The identification of combined external hazards focuses on the identification of correlation mechanisms, such as:

- Source correlated hazards, e.g. earthquake and tsunami,- Phenomenological correlated hazards, e.g. strong wind and heavy rain,- Induced hazards, e.g. earthquake and earthquake induced fire.

In addition, uncorrelated events may be relevant if they have a large frequency of occurrence/exceedance frequency and/or a long duration.Note that external events that have been originally screened out as single events using the screening criteria C3/Distance, C4/Inclusion and C6/Applicability (see Table 5-4) are considered to be not relevant candidates of a combination.

General Effects from External EventsThen, it is useful to summarize the potential general effects which the external events may have on the plant. For this purpose a list with the main categories, in which the plant impact might fall for the most external events, should be established.An example of plant effect classes is given in Table 5-3.Table 5-3 Example of plant impacts typeIMPACT TYPE DESCRIPTIONStructure/PressureStructure / Missile

The external events affect the structure and disable the safety function contained. These events involve a direct or a pressure-wave impact.

Heating, Ventilation, Air Conditioning (HVAC)

The external event affects HVAC functions and may cause partial or total loss of safety systems relying on heating or cooling. Alternatively, the event may affect the plant crew through the ventilation system, e.g., toxic gases.

Ultimate heat sink The external event affects the ultimate heat sink and may cause partial or total loss of secondary cooling.

Power supply The external event affects the offsite power and may cause loss of offsite power.

External flooding The external event causes flooding of buildings or structure and may disable the safety functions contained.

External fire The external event causes fire in buildings or structure and may disable the safety functions contained. In accordance with NUREG-1407 [75] the potential effects of fire on the plant could be the loss of offsite power,


IRSN/PSN-RES/SAG/2017-00019 91/142


forced isolation of the plant ventilation.Electric The external event affects safety functions by creating electrical or

magnetic fields.Other direct impact In a few cases, the event may work in a way that is not covered by the

general categories. Examples are plant isolation/limited accessibility.

External Events Screening ProcessAccording to [71], two screening processes are considered:Relevancy screening: it has the aim to discard such potential single or combined external events,

which are not relevant to the nuclear power plant due to its location. The result of the relevancy screening is a list of site relevant external events.

Impact screening: considers the list of site relevant external events and eliminate those potential external events which, with the maximal strength imaginable at the site, will not even have minor effects on the plant structures, cooling, and electrical transmission or on the plant operation. The result of the impact screening is a list of potential plant-relevant external events.

Screening Criteria for Single External EventsA single external event is screened in if the consequences of the external hazard could be important (e.g., to the plant structures, plant cooling systems) and the hazard frequency is not bounded by an internal event analysis already performed in the level 1 PSA.For screened-in events, a detailed analysis is necessary to evaluate the frequency of core damage due to the external hazard. The relevancy screening is based on general knowledge about the strength of the potential external event and the relevancy at the site.In order to arrive at a manageable amount of potential single external events, the following relevancy and impact screening criteria are used based on ref. [71]:Table 5-4 Screening criteria for single external events:

C1/SeveritySite-related screening

criteria

C2/FrequencySite-related

screening criteria

C3/DistanceSite-related

screening criteria

C4/InclusionImpact

screening criteria

C5/WarningImpact screening

criteria

C6/Applicability

Screened-out if:

The event has a damage

potential that is less or equal to

another event that the plant

is already dimensioned

for.

Screened-out if:

The event has a considerably

lower frequency of occurrence than events with similar

uncertainties and cannot

result in worse consequences.

Screened-out if:

The event cannot occur close enough to the plant to

affect it.

Screened-out if:

The event can be

included in the definition

of another event.

Screened-out if:

The event develops in such a slow

rate that there is

enough time to initiate

counteractions.

Screened-out if:

The event is not applicable

to the site because of

other reasons.

Screening Criteria for Multiple External Events


IRSN/PSN-RES/SAG/2017-00019 92/142


A combination of external events is considered to be relevant if the combination has more severe or additional effects on the plant compared to those of the initial single external event.In order to arrive at a manageable amount of potential combined external events, the following screening criteria are used based on reference [71]:Table 5-5 Screening criteria for multiple external events:

M1 / Definition M2 / Independence M3 / Impact C1 – C6Screened-out if:

The multiple events are included in the definition of a single event, which is already analysed for the plant

Screened-out if:

The events occur independently of each other in timeANDThe probability of simultaneous occurrence is low, i.e., below single event frequency screening criteria C2

Screened-out if:

The events do not occur independently in time (see criterion M2)ANDThe events affect the same plant safety functionANDThe combined effect on the safety function is not greater than the effect from the most severe of the single events involved

Screened-out if:

Any of the single external events criteria apply to the potential multiple events


IRSN/PSN-RES/SAG/2017-00019 93/142


5.3 COMPARISONS OF PRACTICES AND LESSONS LEARNED

A very general methodology for identifying initiating events has been drafted in section 4 of the present report. This general approach essentially reflects most pertinent guides and also common sense. However, it leaves much space for the individual PSA development. Therefore, the present section 5 intends to shed light on the practices in different countries.

There are several high-level documents and guides which have been mentioned in the previous sections. Unfortunately these documents do not have a high degree of detail. They very often provide general suggestions, which need to be interpreted and adjusted when performing a PSA.

The following examples and related comments provide a perspective on the level of guidance:The ASME/ANS RA-S standard [54], [56] has two sets of screening criteria: one for the internal initiating events at power and one for external events at power. For external events the ASME/ANS RA-S standard requires that all potential external events (both natural hazards and man-made events) that may affect the site shall be considered and shall be subjected to either screening, bounding (demonstrably conservative) analysis, or detailed analysis. The list of external events that should be included as a minimum is provided in the standard. Requirement for supplementing of the list with the site-specific and plant-unique external events is given. The preliminary screening is qualitative and is performed using a set of five screening criteria.For hazard events, SSG-3 [4] recommends a systematic screening approach. However, there are no statements against which specific criteria initiating event and hazard scenarios should be screened out.WENRA reference levels for existing reactors [11] require that adequate screening criteria shall be defined in order to identify the relevant initiating events and operational states, but no further details are given.For external hazards, the main issue is combination of external hazards. Several countries set requirements for the consideration of combinations of external hazards. However, in general there are no specific recommendations on how to treat combinations of hazard events in the determination of initiating events or hazard scenarios for a PSA. Only the EU industry representative provides some information. Typically, a combination of hazards involves natural events (e.g., heavy wind and high sea water level). However, combinations of natural and man-made events are also possible (e.g. increased risk of ship accidents during heavy weather conditions). The identification of combined hazards focuses on the identification of correlation mechanisms, such as source correlated hazards (e.g. earthquake and tsunami), phenomenological correlated hazards (e.g. strong wind and heavy rain), and induced hazards (e.g. earthquake and earthquake induced fire).


IRSN/PSN-RES/SAG/2017-00019 94/142


The following conclusions can be derived from above described approaches: all significant initiating events and dependencies and correlations that affect the results should be considered in the model, but hardly any specific requirements are described.

As a consequence, practically no PSA exist which fully complies with present guides. Only few countries mention that they follow or develop regulation according to WENRA reference levels. Also only few countries directly refer to ASME/ANS standards.

The following sections provide a short summary of the contributions above provided by the individual countries.A grouping into seven bins has been applied. For each county, the availability of respective information is indicated.

Figure 5-2 Overview over Screening Approach Topics by Country

5.3.1 LIST OF IE AND HAZARDS TO BE CONSIDERED IN THE SCREENING PROCESS

All countries list hazards like fire, flood, earthquakes, hurricanes, floods, lightning and man-made hazards like airplane crash, transport accidents, explosions. Hazards resulting from human errors are mentioned by most countries. Some countries mention special additional hazards like volcanism (CA, JP), electromagnetic interference (CA, DE), heavy load drop (FR, DE), tornados (CH, DE, JP) or microbiological corrosion (DE). Belgium (BE) does not envisage external hazards.

In their hazard lists the different countries refer to reference documents issued by IAEA (e.g. HU, SE, CZ), ASME (e.g. SI, JP), CNSC (e.g. CA) or others (e.g. WENRA, IEEE, ANS).


IRSN/PSN-RES/SAG/2017-00019 95/142


5.3.2 AREA OF INTEREST AROUND THE NPP

In the corresponding country reports only few countries mention the consideration of the surroundings other than already mentioned in the reference documents. The Czech Republic for example refers to site evaluation and safety aspects for nuclear installations (corresponding to IAEA documents), taking into account geographical, meteorological, biological and transport data. Also special seismic analyses are cited in the Czech report. Most countries (e.g. UA) mention the consideration of distance of the hazard to the NPP.Slovenia made a proposal (following WENRA issue T) to set frequencies less than 10-4/a for operating units considering natural external events.

5.3.3 COMPARISON OF QUALITATIVE SCREENING CRITERIA

Common screening criteria are e.g. the distance of the hazard to the plant, the duration of the development of the hazard, a potential inclusion in already considered cases, a low frequency of occurrence, the potential of a damage, that is smaller than in the DBA cases or, for some countries, hazards, that have small contributions to overall CDF and LER (e.g. DE, CH). Canada includes the effects on SSC and scenarios that would influence the ability to implement emergency plans. Slovenia uses the conservative ANSI standard in its consideration.

5.3.4 COMPARISON OF QUANTITATIVE SCREENING CRITERIA

The cut-off frequencies vary for the different countries. Bulgaria screens out scenarios with a frequency below 10-9/a, whereas EDF considers an external hazards screening out criteria of 10 -7 /a for CDF or 10-8 /a for LRF. Hungary sets frequencies of less than 10-7/a (both for operating and new units) for man-made hazards and less than 10-4/a for operating units and 10-5/a for newbuilds considering natural external events. Bulgaria sets a limiting frequency for a quantitative contribution to the CDF/FDF of less than 10-9/a. Germany screens out scenarios with an estimated CDF below 10-6/a. Russia neglects events with a very low (<10-6/a) mean frequency of occurrence or events with equal or lesser damage potential than the events, for which the plant has been designed for. In the US, CDF has to be less than 10-6/a. It is recognized that for those new reactor designs with substantially lower risk profiles (e.g., internal events CDF below 10-6/a), the quantitative screening value should be adjusted according to the relative baseline risk value.


IRSN/PSN-RES/SAG/2017-00019 96/142


5.3.5 CONSIDERATIONS ON MULTI-UNITS SITE

Considerations on multi-unit sites are not performed by most countries. However Canada indicates that the potential for specific hazards simultaneously impacting several units on the site should be considered. It considers to review the lessons learned and to re-examine the safety cases of NPPs for ensuring that sufficient defence-in-depth margins are available, with a focus also on external hazards such as seismic, flooding, fire and extreme weather events.Germany asks for a proof that internal hazard events in one unit do not impact on the safety of an adjacent unit; however no specific requirements for identifying related initiating events are stated.

5.3.6 CONSIDERATIONS ON CORRELATED HAZARDS AND EVENTS

Correlated hazards and events are handled by some countries with a matrix approach (e.g. FR, CZ), considering all possible combinations and then selecting the relevant by defined criteria (e.g. frequency, degree of impact, possibility). Other countries define major criteria like significance (CA, SE) or frequency (DE, RO).

5.3.7 CONCLUSIONS

The approaches of the countries differ in detail but generally use systematic ways like matrices or schemes to consider the impact and the severity of internal, external and combinations of hazards. This is mainly done in reference to documents from e.g. IAEA or other authorities. One major criterion is the frequency of occurrence, whose limit is set differently in the countries with respect to the referred documents used for the screening process.

6 GOOD PRACTICES FOR EXTENDED PSAS

6.1 GENERAL CONSIDERATIONS FOR INITIATING EVENTS SELECTION

Initiating event identification and selection (screening “in” or “out”) for an extended PSA have to consider the objectives for which the PSA is produced. These objectives should help defining:

1. the aspects of risk which are relevant and for which the PSA model should provide results,2. the risk measures that are relevant in interpreting PSA results,3. the values of risk criteria for relevant risk measures, to which the extended PSA results should

be compared,4. an acceptable scope, level of details, and level of conservatism for the PSA.

These objectives may differ for a NPP during design or operation phases.


IRSN/PSN-RES/SAG/2017-00019 97/142


The screening approach for an extended PSA is based on the following assumptions on PSA scope:1. the risk is (or will be) described by L1 and L2 PSA,2. the risk measures for reporting PSA results for the unit and the site (if applicable) may differ

depending on the PSA application but it should include:a. core damage/fuel damage frequency as the main L1 PSA results,b. As a minimum for L2 PSA results, the large release frequency and the early release

frequency measures,c. Preferably for the L2 PSA results, the frequencies of an appropriate number of release

categories in order to calculate a meaningful risk profile.

A reasonable approach is to introduce progressively the sources of risk into the PSA model and to select the relevant internal initiating events and hazard scenarios:

1. start with internal initiating events screening and PSA model development,2. continue with internal hazard scenarios and integration into PSA model,3. extend by external hazard scenarios,4. complement with combinations of hazards and correlated hazards,5. complete by extension to multi-units and multi-sources considerations.

This approach assumes that a PSA model for a specific hazard scenario will benefit from the use of the available internal events PSA. Conceptually, each hazard scenario will be an initiator for an initiating event that is directly challenging some safety functions.

As confirmed by section 5, analysis of existing practices of the screening entails the following major steps.

For all operating states and all relevant sources on the site:1. Identification of possible initiating events, hazard scenarios, and combinations thereof,2. Plant response analysis and suitable grouping of initiating events or hazard scenarios to a

representative group,3. For each representative group, analysis consisting of

a. Qualitative plant response,b. Quantitative assessment of the likelihood of the scenario, of its consequences for the

plant,4. Definition of a set of initiating events and hazard scenarios for extended PSA analysis.

Screening needs to be done because in practice it is impossible to analyse all potential sequences after each and every initiating event. Therefore, screening is an approach to efficiently make use of available resources. Consequently, the screening assessment shall be based on relatively simple


IRSN/PSN-RES/SAG/2017-00019 98/142


analysis, referring to existing studies, often qualitative and using engineering judgement. Realistic assumptions can be used as well as bounding assessments. There are two different objectives how screening can be applied:

1. Firstly, screening can justify that several initiating events may be deleted from analyses, or that they may be binned into specific groups and need not be analysed individually. This approach is relevant if it is necessary to demonstrate that the plant under consideration complies with a certain quantitative objective.

2. Secondly, screening can identify the most relevant initiating events. This will help to make the most efficient use of available resources.

The next sections discuss some envelope good practices for each step of the selection of extended PSA initiating events. From an industrial end-user perspective, each step must be adapted and simplified in accordance with the responsible authorities where necessary to be effective enough to be able to identify rapidly predominant hazards eligible to extended PSA analysis. Therefore, the screening criteria – especially the quantitative criteria - shall be chosen to help identify the key predominant hazards eligible for extended PSA analysis, and thus to identify a limited subset of screened-in hazards. This is paramount to enable industrial end-user to better focus resources and direct them to address issues that present the highest significance to NPP Risks and Safety.It is for this reason that the screening process needs to be aligned to the objectives of the PSA in general and to overall requirements on the acceptability of limitations in scope and level of detail to decision makers.

6.2 SCREENING CRITERIA

The ASAMPSA_E report D30.2 [86] includes the following recommendations on screening criteria.“[S]creening criteria should be commensurate to overall PSA results and ensure that low probability/high impact events are not screened out. To that effect, a set of suitable risk metrics and threshold values (including CDF and LRF) should be defined.” [86], p. 29“The screening of initiating events for detailed consideration in the PSA should be performed not only based on PSA Level 1 risk metrics but also on PSA Level 2 risk metrics like e.g. different release categories, including at least one risk metric for large releases and one for early releases. Initiating events (including hazard scenarios) should only be screened out from the PSA, if they are screened out based on Level 1 and on Level 2 risk metrics. In addition, if a PSA Level 3 is intended, the screening process should include Level 3 risk metrics and thresholds as well.” [86], p. 33.


IRSN/PSN-RES/SAG/2017-00019 99/142


In addition, any screening procedure should be consistent with the respective goals set out by WENRA, which state for new reactor designs that “accidents with core melt which would lead to early or large releases have to be practically eliminated” [35], p. 24, and for existing reactors that “any radioactive release into the environment shall be limited in time and magnitude as far as reasonably practicable” [11], p. 23.

The recommendations given below are based on these ideas. From an industrial end-user perspective, they can be deemed to be more stringent that necessary and can be adapted and simplified where necessary in accordance with the responsible authorities to be effective enough to be able to identify rapidly predominant hazards eligible to extended PSA analysis.

6.2.1 QUALITATIVE SCREENING CRITERIA

With regard to qualitative screening criteria that can be used to screen out scenarios from an extended PSA ([4], [56], see also section 5.1.4.), application of the following criteria appear clearly to be a good practice:

1. the event poses no challenge to safety systems,2. the event is bounded by another initiating event or the induced accident scenario is already

included in the PSA (from other causes) (in that case, there is no need for a specific development of the PSA but its probability shall be considered in conjunction with another event (or group)).

If the event (external hazard) has the potential to induce catastrophic levels of destruction on the plant and regional scale offsite consequences such scenarios cannot be screened out from the extended PSA.

The following qualitative screening criteria may be less relevant:a. The event is very slow in development and fully efficient protection can be put in place on the

NPP against the event with a high level of confidence.An explicitly bounding assessment shall be performed for the traceability of the screening process and emphasize in the PSA approach the importance of the “fully efficient protection”. This information can be acquired during NPP normal operation (maintenance, tests for the protection …).

b. The event has a low frequency of occurrence and several trains (e.g. two [56]) of relevant safety systems are unaffected by the event.


IRSN/PSN-RES/SAG/2017-00019 100/142


6.2.2 QUANTITATIVE SCREENING CRITERIA

Numerical probabilistic safety targets are applied differently depending on countries. Interpretation of quantitative screening criteria may also differ from one country to the other.

Nevertheless the following approach for defining quantitative screening criteria for the selection of PSA initiating events is proposed as an enveloping good practice.

1. Based on regulatory acceptance criteria or established international guidance for CDF/FDF (e.g. 10-5/a for new reactors) and LRF/LERF, the maximum screening quantitative criteria shall be set to 1 % of that value. This results in the following minimum criteria:

a. FDFevent < 10-7/a(RMFevent < 10-7/a)

b. LRFevent < 10-8/ac. ERFevent < 10-8/a

(LERFevent < 10-8/a)2. If L1 and L2 PSA results are already available, then the above limits shall be reduced to 1 % of

the overall PSA results (if relevant) or kept unchanged:a. FDFevent < 1% FDFoverall if < 10-7/a

(RMFevent < 1% RMFoverall if < 10-7/a)b. LRFevent < 1% LRFoverall if < 10-8/ac. ERFevent < 1% ERFoverall if < 10-8/a

(LERFevent < 1% LERFoverall if < 10-8/a)3. An initiating event or hazard scenario should be screened out from extended PSA detailed

analysis, only if it can be screened out against all quantitative screening criteria.4. Bounding analysis to estimate the criteria above shall be preferred during the screening

approach.5. The bounding analysis shall consider both single unit (source) and multi units (sources); the

same numerical criteria shall be applied for a single and multi-units site.6. Very low frequency events associated to potential major consequences are often associated to

high uncertainties. Pessimistic bounding analyses or mean values of distributions may lead to results which violate the quantitative criteria above. If they are screened out nevertheless, a prudent approach shall be applied and possibilities to reinforce the plant defences shall be kept open independently of the extended PSA considerations. The extended PSA should clearly identify such events and how they are addressed.

7. A more precise analysis is needed for events which cannot be appropriately represented by a probability per year (typically reactor refuelling phase or seasonal effects); in that case, the maximum probability value for that event within the year shall be preferred when applying quantitative screening criteria.


IRSN/PSN-RES/SAG/2017-00019 101/142


Explanation of the point 7: an important remark relates to the differences between events treated properly by frequency of occurrence (per year) and events properly treated by a probability of occurrence within a year. For the former, the probability for the occurrence of the event is distributed uniformly over time and the event probability scales inversely with the reference time period, i.e. T 2 ∙ pT 1=T 1 ⋅ pT 2. For the latter, the event might happen with a certain probability p in a time

interval ΔT within a year. Obviously, the “event frequency” does not change for different reference intervals, if these intervals cover ΔT, i.e. p= pT 2=p∨¿ΔT∨ΔT ⊂ {0 ,T 1 }, ΔT ⊂ {0 ,T 2 }¿.

It is recommended performing screening based on time-averaged FDF/CDF in general but this is not applicable for events which are properly described as a probability per year. Salient examples of these types of events include internal initiating events specific to refuelling operation or other shutdown operating states. For hazard scenarios, these type of events are relevant e.g. to hazards for which the frequency of occurrence strongly varies over a year, e.g. due to seasonal variations. Rescaling those probability-per-year types of events to an observation period of one year is not appropriate for screening purposes. In these cases, it can be more appropriate to use instead the maximum probability value for that event within the year15.If there are indications of significant risk peaks already during screening a more detailed analysis of the scenario is recommended, since it might be related to a potential weakness in the safety design of the plant.

6.3 PLANT RESPONSE ANALYSIS, HAZARDS IMPACT ANALYSIS

6.3.1 GENERAL CONSIDERATION

Plant response analysis is an essential task for the screening of initiating events and hazard scenarios as well as the subsequent development of probabilistic model, both in screening analysis and in more detailed probabilistic modelling. The overall objectives of plant response analysis are to identify if the safety of the plant (i.e. safety of the fuel or of other sources) is challenged by the event or scenario under investigation, which fundamental safety functions are challenged either directly or by consequential effects, and if provisions for safety functions (SSC, barriers, other features) are effective or not. For hazards scenarios, hazard impact analysis describes the specific aspect of plant response after hazard effects within the plant.

Plant response analysis makes use from all available sources of information about the (transient) behaviour of the plant from deterministic assessments of PIE, deterministic hazard assessments, and existing PSA models.

15 Conceptually, the check is then against peak FDF(t), LRF(t), and ERF(t). However, an explicit calculation of time-dependent risk measures is not recommended, since this needs to rely on detailed models. For additional discussion on time-dependent risk measures, see D30.5.


IRSN/PSN-RES/SAG/2017-00019 102/142


For screening purposes, plant response analysis may rely either on realistic or on conservative assumptions and expert judgement, where specific information on plant behaviour is not readily available in order to limit analysis effort. Obviously, this has to be specific to the unit and the site.

The following is a summary of plant response and hazard impact analysis for the screening of external hazard scenarios. The concepts presented are broadly applicable to internal initiating events and internal hazards, even there are well-established techniques for those. Not only from an industrial end-user perspective, plant response and hazard impact analysis for the screening of external hazard scenarios shall be based on relatively simple analysis, referring to existing studies, often qualitative and using engineering judgment. Realistic assumptions can be used as well as bounding assessments. The following concepts can therefore be more stringent that necessary and must be adapted and simplified where necessary to be effective enough to be able to identify rapidly predominant hazards eligible to extended PSA analysis.

6.3.2 APPLICABILITY ANALYSIS

The first step in the screening of external hazards relates to applicability. Analysts need to identify those potential single or combined external hazards that are not relevant to the nuclear power plant and to the site due to site characteristics (e.g. tsunamis usually cannot affect plants located far away from seas and oceans). Use is made of the results of site investigation and evaluation to screen out hazards not applicable to the site. Expert judgement will play an important role.

6.3.3 IMPACT ANALYSIS

6.3.3.1 Approach

A more detailed deterministic impact assessment is performed for hazards that could not be screened out since they are applicable. The purpose of screening by impact analysis is to eliminate all those potential external events from the initial list of external hazard scenarios that do not have the potential to induce any transient on the plant, i.e. the maximum credible impact caused by an external hazard scenario does not induce any of the internal initiating events of the PSA or any additional initiating events previously not considered in the internal events PSA.

In general, the following two criteria are applied for screening by impact analysis:1. Severity: the effects of the event are not severe enough to cause damage to the plant, since it

has been designed for loads with similar or higher strength due to other event scenarios.2. Predictability: the event is very slow in developing, and it can be demonstrated with a high

level of confidence that there is sufficient time to eliminate the source of the threat or to provide an adequate and timely response without notably jeopardizing safety.


IRSN/PSN-RES/SAG/2017-00019 103/142


6.3.3.2 Load parameters

With regard to the first criterion, the most important parameters which best represent the load induced by an external hazard should be specified [4]. All parameters specified for the hazards should be taken into account in performing the impact analysis.

Examples of external event scenarios and associated load parameters are listed below16:1) external explosion:

a. maximum pressure wave [kPa];b. maximum heat flux [W/m2];c. peak ground velocity (due to vibratory ground motion) [m/s];d. maximum momentum of generated missiles [kg m/s];e. maximum concentration of a toxic substance for a certain exposure duration

[ppm/hour].2) external fire:

a. maximum heat flux [W/m2];b. maximum concentration of a toxic substance for a certain exposure duration

[ppm/hour].3) extreme wind:

a. maximum gust of wind (related to a 2 second period) [m/s];b. maximum of 10 minute average wind speed [m/s].

4) extreme air temperature:a. maximum and minimum instantaneous temperature [°C];b. maximum and minimum average temperature for a certain duration (e.g. daily or

weekly average temperature) [°C].5) extreme precipitation:

a. maximum precipitation intensity for a certain duration (e.g. 10, 20, 60 minute or daily) [mm/min].

6) extreme snowfall:a. maximum thickness of snow [cm];b. maximum snow water equivalent [mm/cm].

7) lightning:a. peak value of lightning current [kA];b. maximum steepness of the lightning current [kA/s];c. maximum charge of the lightning current [kAs];d. maximum specific energy of the lightning current [MJ/Ω].

16 See [D21.3] for a more comprehensive list.


IRSN/PSN-RES/SAG/2017-00019 104/142


6.3.3.3 Maximum impact

The maximum impact that can develop in the vicinity of the site due to an external event (or combination of events) should be determined for the purposes of impact screening. This should be based on reasonably conservative assumptions on those factors that determine the harmful effects of an initiating accident (e.g. assumed maximum freight in a transportation accident). Besides the maximum load induced by the event at the location of the source, the maximum impact on the plant is also assessed and used during screening. These two quantities, i.e. the maximum load at the source and the maximum load that can impact on the plant can be considered identical for most natural events (e.g. extreme wind), but they are usually different for man-made events (e.g. accidents during railway transport). The distance between the event location and the plant, the characteristics of propagation, spread and decay should be taken into consideration to determine the impact on the plant.

6.3.3.4 Maximum credible impact

If engineering estimates prove insufficient for screening, a more detailed analysis should be done as part of bounding analysis and the event should not be screened out at this stage. The maximum load on the plant induced by an external event applicable to the site under realistically possible boundary conditions is called maximum credible impact.The assessment of the maximum credible impact induced by most man-made external events can be based on site-specific geographical data. Typically, a limiting value can be determined for those parameters of the source that are relevant for the impact (e.g. energy) irrespective of the occurrence frequency of the event. For instance, the maximum pressure wave due to a road transport accident can be assessed by taking into consideration the following:

1) substances transported by trucks on roads near the plant (based on transportation records),2) maximum allowed cargo for each substance relevant for the roads in the vicinity of the site

(based on national or regional regulations on transport),3) physical-chemical characteristics of the substances transported,4) site specific meteorological data for the assessment of environmental spread,5) geographical data around the site (e.g. topography, terrain).

Estimating the maximum credible impact for a hazard or hazard scenario can be done by expert judgement, informed by all available information including hazard frequency curves. The maximum credible impact should be estimated in a conservative way. Deterministic siting and hazard studies will provide valuable input for PSA purposes.


IRSN/PSN-RES/SAG/2017-00019 105/142


6.3.3.5 Comparison of the maximum credible impact with existing protections

By comparing the maximum credible impact of an external hazard with existing protection of the relevant safety functions enables to decide if the external hazard can be screened out or not. For this reason the protection of the safety functions against the loads induced by external hazards has to be assessed. This is done by assembling all relevant design basis data for the SSCs affected by the external event. In some cases, especially for plants in operation, the information needed for the assessment may be incomplete. Consequently, deterministic screening criteria for certain impacts may be difficult to set. Use should be made of expert opinion on the protection against certain impacts (e.g. heat flux, pressure wave, missile penetration, etc.).

6.3.3.6 Exceedance frequency curves for the maximum credible impact

For many natural hazards screened in as applicable, a maximum impact at the site cannot be determined independent of the occurrence frequency or exceedance frequency. In these cases, the magnitude of hazard impact is effectively not bounded by physical effects or site-specific properties (e.g. tsunami height due to asteroid impact for coastal sites or earthquake magnitude for seismically active regions). Then, a maximum credible impact needs to be determined with explicit reference to frequency of exceedance curves with a reasonably small frequency threshold. This threshold will depend on screening criteria, and might be in the range of 10-7/a to 10-8/a or even below for PSA. If the analysts cannot demonstrate that the safety of the plant is not challenged by using such assumptions, the respective hazard should be treated by bounding assessment (see below). Often, design basis values are set at exceedance frequencies of 10 -4/a or 10-5/a and the main difficulty for the PSA development is to determine the exceedance frequency curve in the range 10-8/a to 10-4/a.

If a frequency value (or range) for the hazard is set, then the maximum probable impact can be assigned to the load parameter value (or range) of the frequency of exceedance curve. Often, the parameter at the median (“best-estimate”) value of the curve is taken. However, uncertainty bands should be considered at least as sensitivity cases. Defining maximum credible impact for this frequency value (range) at a high percentile (e.g. 95%) of uncertainty bands is recommended. This approach is meaningful if the region of interest of the hazard frequency curve can be determined without excessive uncertainty.

The hazard can be screened out due to impact if the safety of the plant is not challenged by the maximum credible impact (obtained from the low frequency part of the exceedance frequency curve). In that case, the frequency threshold for maximum credible impact (if applicable) shall be consistent with the quantitative screening criteria (see section 6.2).


IRSN/PSN-RES/SAG/2017-00019 106/142


6.3.3.7 Multiple impacts, secondary impact analysis on plant structures and systems

Many external events have more than one harmful effect, including secondary effects, too. For instance, a transportation accident may have simultaneous effects like pressure wave, heat flux, missile impact, release of toxic gases, etc. Furthermore, external fire, external explosion and release of toxic gases can be additional consequences (secondary effects) of an aircraft crash. These complex impacts may have more serious consequences than the individual ones; therefore they should also be taken into consideration.

In order to support the screening investigations in this regard, the Fault Sequence Analyzer method can be useful [68], [67]. This approach or similar analyses can provide valuable insights about potentially challenging combinations of hazard impacts for a specific hazard scenario.

All safety related plant areas affected by the external hazard scenario in question should be mapped for the purposes of plant response analysis in the initial screening phase. In general, the effects induced by external events belong to one or more of the following categories [71]:

1) Failure of structures: the external event may affect the structures by direct pressure (e.g. wind or snow load), pressure waves (e.g. explosion), ground shakes (e.g. explosion, earthquake), etc., so that the structures and/or the related safety functions are degraded or damaged. The following effects of area events are particularly noteworthy.

a. external flooding: undermining of buildings or structures, consequently disabling the safety functions contained.

b. Internal and external fire: extreme direct heat flux may destroy/degrade structures.2) Failures in systems: the external event induces failures in systems or components that lead

to challenges of plant safety. The following systems are particularly relevant.a. failure of HVAC (Heating, Ventilation, Air Conditioning) system: the external event may

affect HVAC functions and may cause partial or total loss of safety systems or components relying on heating or cooling.

b. failure of ultimate heat sink: the external event may affect the ultimate heat sink, consequently it may cause partial or total loss of cooling water supply for safety systems.

c. electric: the external event may generate electrical or magnetic fields, which may potentially affect transmission of power supply or control signals to safety systems.

d. failure of power supply: the external event affects the offsite power and may cause total or partial loss of offsite power or other power supply faults.

3) Spreading via failed barriers: Due to failures or unavailability of (designed) barriers, hazard effects spread into the plant leading to challenges to other structures (see the first item) or


IRSN/PSN-RES/SAG/2017-00019 107/142


systems and components (see the second item). This is particularly relevant for flooding and fire hazard events.

4) Spreading via systems and components: Due to effects in systems or components, which were not designed against (the magnitude of) hazard impact, hazard effects spread into the plant leading to challenges to other structures or systems. One salient example would be the HVAC system, which can spread the effects of fire and flooding scenarios.

5) Other direct impact: in a few cases, the event may have such effects that are not covered by the general categories above (e.g. plant isolation/limited accessibility, freezing).

6.3.3.8 Impact analysis on plant personnel

The existing guidance documents (e.g. [4], [71]) focus primarily on the impact of external events on systems, structures and components, without much consideration to effects that may influence the ability of the plant personnel to respond correctly in a timely manner. The impacts of an external event on plant personnel working open air at a nuclear site as well as the habitability within building enclosures of a nuclear power plant due to toxic gases, heat flux or radiological consequences of accidents at nearby nuclear installations are of high importance. The aforementioned impacts on the plant personnel should be taken into consideration during plant response analysis for initial screening. This is particularly relevant if the hazard scenario prevents necessary operator actions that are needed to bring and maintain the plant in a stable safe condition.

The accessibility of the plant as well as the conditions and the allowable time for working open air at the site should be evaluated for certain hazards. In general, protective measures are applied to reduce harmful effects on the plant personnel. These measures and their effectiveness shall be taken during screening. For that purpose the design basis loads of the protective measures are compared with the loads induced by the given (external) hazard scenario.

The consequences of accidents with toxic effects, heat flux or radiological effects at nearby nuclear installations should be taken into consideration in order to ensure the habitability of vital service areas within the building enclosures needed to maintain the safe conditions of the nuclear power plant. A significant reduction in health effects can be achieved by using sufficient air filtration and cleaning systems. Therefore, appropriate positioning and orientation of the air filtration equipment also helps to limit the health effects from inhalation within the plant buildings. Furthermore, the exposure time of the operating personnel can be limited by strictly controlling the allowable time at work.

Besides relevant design data, plant response information regarding an (external) hazard event scenario includes data on protective measures and administrative procedures. The protection may include special protective measures and protection features applied to prevent structures as well as of active or passive safety functions and the related plant systems. Also, early protective or mitigating human actions to prevent plant transients due to an external event, as defined in safety and operating


IRSN/PSN-RES/SAG/2017-00019 108/142


procedures, need to be considered, if the development of the hazard scenario is slow and grace time is large.

6.3.4 PLANT RESPONSE ANALYSIS FOR COMBINATIONS OF HAZARDS INCLUDING LESS INTENSE SCENARIOS

Plant response analysis is also applicable to combinations of hazards. Usually, correlated hazards have to be evaluated, since most of the hazards without any correlation can be screened out on the basis of event frequency. Combined hazards may have either the same types of impact as individual hazards, but they can also impose different effects on the plant.

If the effects are the same, the maximum credible impact is determined by the summation of the effects induced by the multiple hazards that belong to the combination. If there are different effects, then all types of impacts should be taken into consideration as complex effects.

Impact analysis for screening should not only consider rare, high impact events, but also less intense scenarios at or even below design basis values, as these might be relevant in combinations with other events. This effect has been observed for cases, where the provision of safety functions for one challenge depends on components that are not designed against impacts of the other.

One example can be the combination of a below DBE with very high temperatures. If the ventilation systems are not seismically qualified, they will likely fail for earthquake impacts even below the DBE threshold. As a consequence, temperatures in the I&C cabinets and other safety-related rooms will soon exceed their design values, leading to a high likelihood for the unavailability of multiple safety functions.

The Fault Sequence Analyzer approach [67], [68] (or equivalent approach) may give valuable information on potentially critical impact scenarios and can thus inform impact screening as well as bounding analysis.

6.3.5 BOUNDING ANALYSIS

Bounding analysis describes that task of estimating, with conservative approach, initiating event and hazard scenario frequencies as well as the respective conditional failure probability of plant safety provisions.

From an industrial end-user perspective, the task of estimating initiating event and hazard scenario frequencies as well as the respective conditional failure probability of plant safety provisions can be performed using either realistic assumptions or bounding assessments. The following proposal can


IRSN/PSN-RES/SAG/2017-00019 109/142


therefore be more stringent that necessary and must be adapted and simplified where necessary to be effective enough to be able to identify rapidly predominant hazards eligible to extended PSA analysis.

SSG-3 specifies (with respect to hazards) the following.“8.7 The bounding estimations should be based on models and data that are either realistic or demonstratively conservative. Such models and data include:(a) Assessment of the frequency of hazards (i.e. estimations of the frequency of exceedance of particular intensities);(b) Analysis of the impact of hazards on the plant (i.e. loads associated with the hazard);(c) Analysis of the plant response (i.e. fragilities);(d) Level 1 PSA models and data, etc., for the plant.” [4], p. 92.

The bounding analysis is an important element for reducing the number of internal initiating events which need to be analysed in more detail.

Bounding analysis for screening is usually inherently based on expert judgement. Experts need to use all available information on events, hazards, and plant response, using sources from deterministic analysis, probabilistic evaluations, operating experience, siting, simulation models, etc. These are then translated into claims on frequencies and conditional probabilities. Justifying these claims in a traceable manner but explaining the underlying reasoning, providing supporting arguments, and linking to available evidence is good practice.Moreover, it should be considered if and how work for bounding assessment in PSA can in turn inform or benefit deterministic safety cases and other safety demonstrations.

As with every expert judgement, only generic guidance can be provided. The following recommendations are proposed:

Bounding analysis for screening needs to be demonstrably conservative. This prevents scenarios to be screened out with potentially relevant contributions to risk.

Bounding analysis can be made at different levels of sophistication. Particularly for initial screening, (very) conservative estimates are acceptable. Such values could be based on a high confidence of a small value type of approach or could correspond to a 95% percentile of the (possibly unknown) distribution at a confidence level of 95%.

In order to limit the amount of initiating events and hazard scenarios for a more detailed analysis, more realistic bounding estimates can be necessary. Such estimates can be

a. Based on conservatively estimated mean values for frequencies or probabilities.b. Based on simplified probabilistic models

Analysts could make separate (bounding) estimates for the failure probability of different (groups of) safety functions, barriers, related plant compartments, or other provisions available to control the scenario.


IRSN/PSN-RES/SAG/2017-00019 110/142


c. With regard to hazard scenarios, simplified probabilistic modelling can include separate estimations on the conditional probabilities for hazard impact propagation, consequential effects, triggering of initiating events, and protection measures.

Estimations based on simplified probabilistic modelling need to critically examinea. Potential common cause failures.b. Boundary conditions (e.g. impact of hazard effects).c. Interactions and interdependencies with other units.d. Shared systems and resources, which cannot (simultaneously) supply all relevant

demands from the connected units, could be assumed to be unavailable for bounding assessment.

Bounding analysis for hazards needs to be based on their impact characteristics.

For some hazards like e.g. internal fire, specific bounding analysis approaches have already been developed.

Bounding analysis should be made in a progressive manner.1) The first step will be the estimation of the frequency of occurrence of the initiating event or

hazard scenario. At this step, the conditional probabilities for severe consequences (whatever they may be) should be assumed to be 1.

2) If the event or scenario cannot be screened out on frequency alone (a quite common case), estimates on the PSA Level 1 risk metric, i.e. FDP and possibly RMP, have to be made with an adequate level of sophistication (see above). At this stage, CLRP and CERP should be assumed to be 1.

3) If the event or scenario cannot be screened out because it fails the Level 2 criteria, additional estimates on CLRP and CERP with an adequate level of sophistication have to be made.

During bounding analysis, the analyst might notice that the scenario under consideration can be reasonably assigned to an already existing initiating event or hazard scenario group based on plant response analysis. This option should be preferred, especially if there is a detailed PSA model available for that group.

Bounding analysis should allow for demonstrating that certain events are extremely unlikely to develop into a large release or an early release scenario. This provides valuable justification to decision makers and stakeholders that low probability/high consequence events have been comprehensively identified so traceability is crucial. Importantly, using bounding analysis for the assessment of a scenario does not remove the need for practical elimination of a sequence with unacceptable risk.


IRSN/PSN-RES/SAG/2017-00019 111/142


For screening purposes bounding assessment related to site risk measures should not be necessary. Claims for each unit from bounding assessment should be added up to arrive at site-level risk contributions from bounding assessment.

6.4 SELECTION OF THE INDIVIDUAL INTERNAL INITIATING EVENTS TO BE CONSIDERED IN A SINGLE UNIT PSA

The screening process for internal initiating events is an established practice for current PSA. For the identification of initiating events, the following approaches [4], [7] can be used in general:

a) List of initiating events, either from other existing PSA or recommended in standards and guides;

b) Evaluation of operating experience events (databases like INES, IRS, WANO etc.), and events specific to spent fuel pool;

c) Bottom-up analysis approaches like hazard and operability (HAZOP) studies or failure mode and effects analysis (FMEA);

d) Master logic diagrams which develops a plant level logic structure whose basic input events are the initiating events, for identifying failures leading to challenges of normal operation;

e) Evaluation of the plant safety analysis report and other deterministic analyses on design and beyond design basis accidents.

It should be also noted that approach in [4] requires that the set of internal initiating events used as the basis for the Level 1 PSA should be as comprehensive as possible. It is recognized that it is not possible to demonstrate that all possible initiating events have been identified. However, by using a sufficiently comprehensive combination of the different approaches (e.g. above), it is possible to gain confidence that the set of initiating events that has been identified for the plant is as comprehensive as possible.It seems that this has not always been the normal practice. For example, in the deterministic safety analysis report for Advanced Pressurized Water Reactor (APWR) the following statement was written: “Due to the similarities between the MHI US-APWR and the current generation of PWRs operating in the United States, MHI has determined that no new event types are required to bound the possible initiating events.” [104].The plant systems and major components could be reviewed to see whether any of the failure modes could lead directly or in combination with other failures, to significant disturbances of plant operation, requiring operation of mitigating systems. Partial failures of systems need also to be considered as well.There is a lot of experience in the PSA community on the spectrum of internal initiating events for all operating modes relevant for the different NPP designs. For a summary of the generic approach based on SSG-3 [4], see section 5.1.1.2. Therefore, comments are provided only on some specific aspects relevant for the proposed screening approach for an extended PSA.


IRSN/PSN-RES/SAG/2017-00019 112/142


First, the screening for an extended PSA may assume significantly lower quantitative screening thresholds than established practices. Therefore, internal initiating events, which have been screened out from more detailed assessment may need to be re-assessed. This particularly includes a check of screening out internal events against the recommended PSA Level 2 screening risk measures.Regarding internal initiating events screening against PSA Level 2 risk measures, particular attention should be given to IE-specific boundary conditions or unavailabilities relating to the containment function of the NPP. For example, event scenarios, which are inherently intertwined with an open containment or a containment isolation failure, are potentially significant contributors to LRF and ERF scenarios. Such boundary conditions can also originate from different operating modes, e.g. shutdown states with and without an open containment.

Based on the ASAMPSA_E investigation of the link of DiD and PSA (cf. ASAMPSA_E deliverable D30.4 [109]), the spectrum of internal initiating events screened for PSA should be cross-checked against the list of PIE for deterministic safety assessment. Particularly PIE classified as DEC events can complement the spectrum of initiating events for PSA and vice versa.Another link between deterministic and probabilistic assessment approaches lies in determination of initiating event frequency. Obviously, this determination should come from the same data and results should not be inconsistent.

For internal initiating events, frequency estimates down to the range of about 10 -6/a can often be justified based on operating experience, by extrapolation of operating experience, or by combination of operating experience with modelling assumptions. In these cases, uncertainty bands for the respective values are usually limited (to about an order of magnitude at most).However rarer events pose significant challenges to analysts. Extrapolations from available data (e.g. by extreme value statistics) may lead to results with excessively large uncertainty bands. In these cases, the ASAMPSA_E project recommends as far possible combining available data with event model information (e.g. structural integrity assessments and simulations) and adjusting results based on expert judgement. Especially for screening purposes, conservative estimates of event frequencies are sufficient. Therefore, using conservative point estimate values based on a high probability that the actual frequency value is lower should be considered as an approach (cf. e.g. the “High Confidence of Low Probability of Failure (HCLPF)” concept for seismic safety analyses [21]). Direct estimations - even based on expert judgement - of the 95% percentile at a 95% confidence level for the event frequency will likely lead to results at an appropriate level of accuracy and conservatism for screening. Such estimations can then be refined, if a more stringent treatment of the event either in bounding analysis or in a detailed PSA is merited based on its contribution to the risk measures of interest.

The internal events screening needs to include the spent fuel pool, if not separated from the reactor core in a specific facility. The spectrum of initiating events affecting the SFP needs to entail reactivity accident scenarios, if relevant, as well as loss of fuel cooling scenarios. To the extent that a specific


IRSN/PSN-RES/SAG/2017-00019 113/142


PSA model still has to be developed, the deterministic safety case for the SFP will provide valuable insights on initiating events for the different operating modes.With regard to other multi-source considerations related to internal initiating events, see section 6.8.

6.5 SELECTION OF THE INDIVIDUAL INTERNAL HAZARDS SCENARIOS TO BE CONSIDERED IN A SINGLE UNIT PSA

There is established internal hazard screening guidance available from several sources, e.g. SSG-3 [4] or the ASME PSA guide [33]. Internal hazards scenarios to be considered include

(a) Internal fires;(b) Internal floods;(c) Heavy load drop;(d) Turbine missiles;(e) Internal explosions” [4], p. 65.

Detailed PSA investigations have been performed in particular for internal fire and internal flooding scenarios, with respective guidance on specific screening available. Nonetheless, several remarks and recommendations with respect to the proposed screening approach for an extended PSA can be made.

The aforementioned internal hazards can be extended by several additional classes like e.g. electromagnetic interference or collapse of structures as mentioned for deterministic internal hazards assessment or from country presentations, cf. e.g. sections 5.1.1, 5.2.5, or 5.2.6. A systematic approach similar to the approach for internal initiating events identification needs to identify those scenarios, which induce a challenge to plant safety, i.e. an internal initiating event. For the further analysis, consequential and secondary failures of the internal hazard have to be considered.The screening approach for an extended PSA assumes that an internal initiating events PSA for the reactor core and for the spent fuel pool (if applicable) is available to inform the screening. Consequently, internal hazards PSA should be extended to the SFP.Based on experience, single internal hazards other than internal fire and internal flooding have either been screened out from further consideration or assessed with bounding assessment approaches. This is mainly due to the observation that these other internal hazards either do not (easily) trigger events that lead to fuel damage states (due to reactivity accidents or excess cladding temperature) or that the resulting scenarios are enveloped by existing internal initiating events with significantly larger IE frequencies.

In view of the proposed screening approach and the quantitative screening criteria, it is recommended that internal hazard screening needs to be extended with regard to the following aspects:

Consideration of internal hazards originating from outside of the unit but from inside of the plant or site perimeter. This should include the following effects, which can basically be treated like other (external) man-made hazards,


IRSN/PSN-RES/SAG/2017-00019 114/142


a. Fires at other installations on the site like e.g. hydrogen or hydrocarbon fuel storage facilities,

b. Flooding originating from installations on the site like e.g. leakages from water storage tanks or fire protection systems,

c. Explosions originating at other installations on the site, e.g. a hydrogen gas explosion after a generator blowout,

d. Missiles originating at other installations on the site like e.g. a turbine missile from another NPP on the site. Note: Such a missile might be screened out for the originating installation,

e. Electromagnetic interference from other sources on the site, e.g. due to welding work near the affected unit,

f. Hazardous gas releases from other installations on the site, e.g. hydrogen releases during a severe accident in another unit (multi-unit effect),

g. Accident level radiological releases from other installations on the site (multi-unit effect).

Consideration of effects on containment function availability with respect to PSA Level 2 screening measures,

Combination of internal hazard scenarios and independent or correlated internal initiating events,

Extension to the internal hazard scenarios affecting the spent fuel pool.

With respect to the determination of internal hazard scenario frequencies, basically the same comments as for internal initiating events apply. To the extent sensible, internal hazard scenario frequencies should be based on (mostly generic) operating experience. This should be combined with expert judgement using also information for deterministic hazard assessment specific simulation models, as appropriate and available. Such generic operating experience is available in particular for internal fire and also for internal flooding (from component integrity data bases). For other internal hazards, it is assumed that there is a dearth of generic information on such frequencies, as these are commonly screened out from further detailed analysis.It has to be emphasized that certain internal hazards are strongly dependent on time. For example, internal fire initiators are known to be more likely during shutdown operation due to respective work. High energy faults of components (power switches as well as pressure vessels) will depend on the component being in operation. For screening purposes, internal hazard scenarios that strongly depend on time should be treated as “probability per year” types of events. In that case, the peak probability value over a representative time interval should be assumed for screening purposes.

The proposed screening approach for extended PSA requires the consideration of very rare events. Initiating frequencies of such rare events (e.g. significantly below 10-6/a) will be hard to justify with a best-estimate approach. For screening purposes, it is recommended using conservative point estimate


IRSN/PSN-RES/SAG/2017-00019 115/142


values based on expert judgement. Such estimations can then be refined, if a more stringent treatment of the event either in bounding analysis or in a detailed PSA is merited based on its contribution to the risk measures of interest.

Internal hazard scenarios need to be mapped to initiating events. This requires the consideration of the effects of the initiator event on the plant. Plant response analysis needs to consider the resilience of the plant (i.e. its SSCs) against hazard impact as well as the spreading of the hazard and its consequential effects (salient examples: fire and flooding). It has to be pointed out that this necessitates a bounding assessment for internal hazard scenarios. PSA analysts have to propose claims on two important aspects:

1) Conditional probability for the failure of provisions against potential spreading and other consequential effects of the scenario,

2) Conditional probability of triggering an initiating event.

Due to the large number of potential initiators (e.g. rooms with a high fire load and prone to internal fire), effective bounding assessment is an essential task for internal hazards PSA. Moreover, grouping internal hazards scenarios, that have not been screened out (as not challenging plant safety), into enveloping hazard scenario groups will be needed. This will significantly reduce the number of detailed PSA models.In addition, the deterministic analysis of internal hazard should result in a comprehensive protection concept with efficient protection measures. Internal hazards screening should confirm the effectiveness of the deterministic protection concept. .Finally, it has to be pointed out that a number of internal hazards are rather unlikely to get relevant with respect to the FDF risk measures. A prominent example would be heavy load drop damaging a number of fuel elements in the spent fuel pool (without impairing fuel cooling). Another example would be a high energy fault damaging the radioactive waste treatment system. For such scenarios, screening against the proposed radionuclide mobilization frequency risk measure should be considered. For further multi-source considerations, see section 6.8.

6.6 SELECTION OF THE INDIVIDUAL EXTERNAL HAZARDS SCENARIOS TO BE CONSIDERED IN A SINGLE UNIT PSA

Improving hazard identification for PSA is one of the main lessons learned from the Fukushima Dai-ichi accident. The following recommendations from the report ASAMPSA D30.2 [86] are particularly relevant.

“Site specific hazard identification has to be systematically extended to scenarios in the design extension conditions range […], especially for the purposes of an extended PSA.” [86], p. 11


IRSN/PSN-RES/SAG/2017-00019 116/142


“All natural hazards that might affect the site shall be identified; a wide spectrum of rare events should be assessed.” [86], p. 11“It has been recognized that current methods as well as data used for determining frequency vs. likelihood curves for a lot of hazards are limited in their validity and often fraught with high uncertainties. Methods for treating correlated (hazard) events – if available at all – are usually not mature. Consequently, this is identified as a field for additional research […].” [86], p. 29“The screening process should consider justifiable frequencies for the hazards of relatively high magnitude even if they have never been observed in the past in the plant vicinity. The impact of correlated hazards should be carefully considered.” [86], p. 15“Screening criteria should include suitable risk metrics for covering accidental release risk like e.g. large release frequency or conditional containment failure probability.” [86], p. 15“Screening should be done by combining fixed threshold values (e.g. for frequency of exceedance) with criteria relative to the risk level of the plant (e.g. using metrics like CDF, LRF, CCFF, etc.).” [86], p. 15

External hazards screening for a specific site should start from a comprehensive list and narrow this down in the further steps of screening. The report ASAMPSA_E D21.2 [94] provides a comprehensive list of natural and man-made hazards that can serve as a good starting point. In addition, the operational history of the plant in question and of similar plants should be reviewed to search for any events involving functional degradation or unavailability of systems due to external events which should be added to the list. The publicly accessible databases that contain summaries of accidents and near misses that have occurred in hazardous processes around the world should be consulted. The report ASAMPSA_E D10.3 summarizes external hazards with high amplitude that have affected NPP in operation [99].

The first step in the screening of external hazard will be applicability screening. Analysts need to identify those hazards that are not relevant to the nuclear power plant and to the site due to site characteristics (e.g. tsunamis usually cannot affect plants located far away from seas and oceans). Hazards can be screened out as not applicable because

1) The hazard is not applicable to the site due to physical, geological or other properties. 2) The hazard does not challenge the safety of the plant (cf. section 6.2).

Applicability screening should initially be performed using a maximum (credible) impact and needs input from plant response analysis, cf. section 6.3.

With respect to the actual determination of frequency of exceedance curves for single hazards or combinations of hazards, the reader is referred to the hazard-specific ASAMPSA_E topical reports.

The determination of frequency of exceedance curves for hazards will require input from (several) subject matter experts on the respective hazards. Moreover, it is a well-known problem that the


IRSN/PSN-RES/SAG/2017-00019 117/142


amount of data particularly on rare, high amplitude hazard events is often severely limited. Current operating experience and knowledge often limits frequency estimates for single events and phenomena to values in the range of 1 10-4 to 1 10-7/a. Using statistical methods like extreme value statistics to extend limited data far outside of the reference time frame is fraught with large uncertainties and might produce arbitrary results. Such extensions by several orders of magnitude are therefore not encouraged. Instead, available data for the site have to be completed by using regional data and by evaluating historical data or paleogeological information. Since rare mechanisms and phenomena, which could result in severe hazard impacts, might be missing from the available observations altogether, these should be complemented by investigations of such potential mechanism and phenomena. These investigations will often require dedicated simulation models, calculations or expert judgement. PSA analysts should decide on the methods of investigation and the resources dedicated to that based on the available data (for the site), availability of simulation models and of expertise while considering the level of uncertainty in available hazard characterizations, the contribution to the overall risk and the added value that could be reached by a more in-depth investigation.

One essential step after the determination of frequency of exceedance curves (with respect of characteristic hazard impact parameters like e.g. peak ground acceleration or flooding height) is the subdivision into more specific hazard scenarios based on the characteristics of the plant. The partitioning should be informed by plant response and hazard impact analysis, design values of SSC regarding different impacts, deterministic assessment results, other hazard PSA results, etc. as appropriate.

The subdivisions need to be made in light of important thresholds of the plant with regard to the impact parameter. Important limiting thresholds for screening will be the following:

1) Minimal hazard impact magnitude with challenges to plant safety (trigger for an AOO type of event),

2) Design basis hazard impact magnitude for design basis accident conditions,3) (Maximum) hazard impact magnitude assumed for design extension conditions,4) Hazard impact magnitude with an assumed cliff-edge to catastrophic failure.

Usually, (single) external hazard impact is characterized by a single impact parameter. If, however, a set of impact parameters needs to be used (e.g. precipitation, wind speed, humidity, etc. for extreme weather), this subdivision needs to be made on the set of relevant impact parameters.

As an example is discussed severe weather impact due to heavy snow. Usually the plant will cope with a certain snow weight on buildings and snow levels on the plant site without significant impairments to safety systems or adverse effects on operational systems, no event is triggered. This relates to the first alternative, the risk is covered by the general risk of the plant. In case of more severe snow up to


IRSN/PSN-RES/SAG/2017-00019 118/142


design basis limits, a shutdown and likely loss of offsite power will be the main probable consequence of the scenario. For beyond design basis snow loads, safety-important equipment will be rendered unavailable, for example (e.g. EDG air intakes covered by snow), and emergency measures might no longer be possible. Based on plant response analysis, a maximum impact level needs to be determined17. Excessive snow loads could potentially lead to catastrophic building collapse (e.g. the reactor building) with catastrophic off-site consequences.

Based on the frequency of the occurrence curve (often a cumulative distribution), a bounding estimate frequency for the respective subset has to be determined. The specific hazard scenario is then described by enveloping impact parameters and the assigned frequency value.

The bulk of the frequency distribution will usually fall within the first two classes or even below. Moreover, these two classes can often be screened out for further detailed analyses by (cf. section 6.2) the following criteria:

1) The event poses no challenge to safety systems,2) The event is bounded by another initiating event,3) The scenario is already captured in the PSA model as an intermediary state18.

The group corresponding to impact magnitude related to a catastrophic cliff-edge effect can often be screened out from further detailed analysis because:

1) Such hazard impact magnitudes are not physically possible for the hazard source under consideration,

2) Such hazard impact magnitudes are not applicable to the site,3) The estimated frequency for such hazard impact magnitudes is significantly below quantitative

screening values and thresholds for practical elimination.It is emphasized that application of the latter criterion includes these hazard scenarios into the overall PSA results.

The next step consists of identifying initiating events triggered by the specific hazard scenarios. When identifying internal initiating events for hazard scenarios during screening for a hazard PSA, analysts should have access to the internal events PSA Level 1 and Level 2 for all operating states for the plant and, if applicable, for the site. The PSA model should cover the spent fuel pool and other major sources for fuel damage, as applicable. If this is not the case, it is recommended to check hazard screening results as the internal events PSA models become available. For the identification of initiating events and unavailabilities of safety-related SSC, so-called “hazard equipment lists” are an essential tool. Guidance on these lists can be found in e.g. in Ref. [100].

17 It is noted that this impact magnitude might have been defined as maximum credible impact based on practical elimination reasoning in deterministic safety analysis.18 This situation might arise if external hazard initiators or conditional probabilities are already considered in the (internal events) PSA model, e.g. via initiating event fault trees.


IRSN/PSN-RES/SAG/2017-00019 119/142


“Probabilistic hazards analysis routinely maps the hazard impact on the plant to initiating events for an (internal) accident sequence model, which is usually already present in the PSA” [86], p. 19. For that mapping, insights from plant response analysis and bounding analysis will be essential. The following cases can be distinguished19:

1. The hazard scenario contributes to an initiating event which is already modelled in the PSA, and is not altering any other conditions assumed in the internal events analysis. Analysts need to check that not only PSA Level 1 but also PSA Level 2 boundary conditions are identical or at least comparable between the internal IE and the hazard scenario. Based on the screening approach, the hazard scenarios should be grouped into the initiating event group. Salient examples include loss of off-site power (heavy snow, lightning, etc.) scenarios. Analysts need to check if these events are covered by the operating experience used for the determination of (internal) initiating events frequency. However, grouping hazard scenarios with very different ranges of uncertainty – regarding frequency of occurrence as well as plant impact and accident development – should be avoided to the extent sensible.Hazard-specific contributions can be derived from importance values for PSA end results. There is no need for additional modelling.

2. The hazard scenarios induce an (internal) initiating event but with different boundary for the PSA Level 1 or PSA Level 2 model. Then, the hazard scenario should be linked to the existing IE, with appropriate boundary conditions. Further consequences of hazard impact (e.g. common cause failures) relevant to the event tree or fault tree modelling can then be considered by setting appropriate boundary conditions on the availability of required safety functions and accident management measures. This standard approach is well described in SSG-3 [4].Depending on the overall PSA structure, modelling practices, and the modelling tool, either the hazard event scenario is added to the (set of) initiators treated in the event tree together with the respective boundary conditions. Alternatively, the existing event tree/fault tree model is copied, linked to the hazard scenario as an initiator and the respective boundary conditions are set to the model. Whether hazard scenario specific boundary conditions or effects are considered via setting logic switches or by adapting the actual fault tree/event tree structure e.g. by adding additional (scenario-specific) basic events depends on the overall modelling approach.

3. If the set of internal initiating events does not include a suitable initiator and accident sequence (event tree) model that can be mapped to the hazard scenario, a new IE should be defined. In any case, analysts will have to model the accident development and systems analysis under scenario-specific conditions as it is done for internal events (cf. SGG-3 [4]). The Fukushima Dai-ichi accident highlighted the need for defining initiating events for risk sources

19 It should be noted that simplified probabilistic assessment approaches are already covered under bounding assessment as described in section 6.3.


IRSN/PSN-RES/SAG/2017-00019 120/142


other than the core (as the spent fuel pool) and systematically mapping hazards to those initiating events for full power as well as low power and shutdown operations. [86]

Further guidance can be found in report D22.1 [96] and the hazard-specific ASAMPSA_E reports.

For screening purposes, this initial mapping to initiating events and the associated bounding analysis will often be sufficient. If hazard scenarios might be screened out from further analysis due to initial mapping and respective bounding analysis, analysts need to check for the following:

1) A hazard scenario might trigger several (distinct) initiating events with different probabilities. The screening needs to ensure that at least bounding assumptions on the triggered event, the overall conditional probability, and consequences with respect to Level 1 and Level 2 risk measures have been made.

2) If the hazard scenario triggers a “near miss”, i.e. there is only a (weak) line of defence left to prevent core damage or (assuming the use of a PSA model) there are minimal cuts triggered by the hazard scenario and its enveloping boundary conditions that include only one additional, non-consequential failure.

If hazards screening is iterated in order to reduce the scope of detailed analysis, a refinement of the hazard scenario subdivisions can be considered. Depending on further subdivisions of hazard impact magnitude, different boundary conditions, conditional failure probabilities, and eventually consequences can be justified as bounding estimates. Such subdivisions can be based e.g. on components operability limits, assuming that:

o SSCs will fail if the loads (acceleration, vibration, humidity, temperature, etc.) exceed the design loads,

o SSCs will remain operational if the loads are below the design loads,o all equipment located inside damaged buildings/structures or close to the failed structures will

be inoperable,o human actions are successful if they are performed from a location not affected by the hazard

and with pathways available after the hazard occurrence.

The principles for internal initiating events grouping can be transferred to hazard scenarios. In order to reduce the amount of detailed analysis, a hazard scenario group with enveloping boundary conditions and impact characteristics can be defined. The grouping should not be overly conservative and it shall be made in such a way that hazard scenarios assigned to the group would induce the same or a reasonably similar plant response with regard to same success criteria on the frontline systems, challenges to plant operators, and plant damage states for PSA Level 1 and PSA Level 2. In particular, it should be checked if the accident progression after the initiating event will trigger the same mitigating systems and with the same (or less onerous) success criteria. Moreover, the availability and operability of safety systems and support systems, grace periods and requirements on operators should be similar or less onerous than those of the bounding event.


IRSN/PSN-RES/SAG/2017-00019 121/142


It is emphasized that the process for the identification and mapping of internal events triggered by hazard scenarios, the grouping and/or partitioning of hazard scenarios with regard to mapped internal events, the identification and establishment of boundary conditions on the internal events assigned to each hazard scenario, and the development of a model for an extended PSA is to be understood as an iterative process.

It is recommended applying the screening criteria outlined in section 6.2. No hazard-specific screening criteria are recommended. Since external hazards are usually affecting the site, site-PSA considerations play a role, cf. section 6.8. For discussion on combinations of hazards and correlated hazards, see section 6.7 below.

6.7 SELECTION OF THE COMBINED/CORRELATED HAZARDS SCENARIOS IN A SINGLE UNIT PSA

With regard to the selection of combinations of external as well as internal hazards and correlated hazards and internal events, the following recommendations from the report ASAMPSA D30.2 [86] are particularly relevant.

“A realistic set of combinations of hazards should be identified on the basis of a list of individual internal and external hazards, before the application of any screening criteria. It should be done through a systematic check of dependencies, by identifying: hazards occurring at the same time and in the same conditions (e.g. winds and snow); hazards and other internal events occurring at the same time (e.g. if a hazard situation

persists); external hazard inducing other external hazards (e.g. seismically induced tsunami) ; external hazard inducing internal hazards (e.g. seismically induced internal fires); internal hazard inducing other internal hazards (e.g. internal floods induced by missiles).” [86],

p. 13“The screening process should consider justifiable frequencies for the hazards of relatively high magnitude even if they have never been observed in the past in the plant vicinity. The impact of correlated hazards should be carefully considered.” [86] p. 15

The scope of hazard screening needs to be comprehensive. The ASAMPSA_E project has drawn up a list of external hazards, including man-made hazards, which by themselves or as combinations can apply to the site of a nuclear installation. The correlations between hazards can lead to the following categories of combinations [96]:

causally connected hazards where one hazard may cause another hazard; or where one hazard is a prerequisite for a correlated hazard,


IRSN/PSN-RES/SAG/2017-00019 122/142


associated hazards which are probable to occur at the same time due to a common root cause.The causality dependence can be divided into two categories:

causality dependence between the specific hazard and the external natural hazards group, causality dependence of specific hazard with the man-made hazards group.

With respect to internal hazards, the analysis has to be extended to consider the following issues: Internal hazard scenarios are triggered as a consequence of external hazard impact (e.g.

external flooding entering the reactor building), Internal hazard scenarios triggered on the site but not in the unit or for the source currently

analysed (cf. section 6.5), Internal initiating events, for which probability of occurrence correlates with the hazard

scenario frequencies (e.g. a LOOP scenario might be more likely due to high grid load in conjunction with a heat wave or during the hurricane season).

As a first step, PSA analysts should develop a matrix of all reasonable (bounding) combinations of hazards deemed applicable to the site. Quantitative screening thresholds as defined in section b probably should be applied. Such a matrix needs to consider all hazards, even if they have been screened out individually (for not challenging the plant or based on bounding analysis, hazard screened out individually because they are not applicable to the site must not be considered for combinations). The screening of combinations should not only consider rare, high impact events, but also less intense scenarios at or even below design basis values, as these might be relevant in combinations with other events. One salient example would be the combination of high external temperatures with a design basis earthquake, which was identified as a contributor for a NPP, since ventilation systems were not qualified for earthquake impact and the subsequent temperature increase in safety related buildings would impair safety-related I&C.For each entry in that matrix, an enveloping set of maximum (credible) impact characteristics needs to be defined. It then has to be checked if this enveloping set of impact characteristics would challenge the safety of the plant. The results of an investigation following the Fault Sequence Analysis (FSA) method [67], [68] or similar approaches will be invaluable for that purpose.If combinations are identified as potentially applicable and relevant for the plant, the further screening will follow the concepts outlined in sections 6.6, 6.5, and 6.4. Screening of combinations of external and internal hazards for PSA is a field with need for further research. This applies in particular to the determination or bounding estimation of adequate frequency of occurrence or conditional probability values for combined/correlated hazard scenarios. The same considerations as for rare external hazards apply. Regional frequency approaches as described in ASAMPSA_E report on flooding PSA are a good way to enlarge the data basis.

Finally, the screening of combinations of hazards needs to efficiently use strategies for grouping hazard scenarios for specific combinations into enveloping hazard scenario groups. However, grouping hazard scenarios that are very different in terms of levels of uncertainty on frequency of occurrence or


IRSN/PSN-RES/SAG/2017-00019 123/142


hazard impact and accident development should be avoided to the extent possible. The use of bounding assessment will be essential for limiting the amount of cases for a more detailed analysis.

6.8 SELECTION OF INITIATING EVENTS FOR MULTI-UNIT, MULTI-SOURCE PSA

The report ASAMPSA D30.5 [87] includes a discussion of risk measures for multi-unit and multi-source PSA (site-level PSA). Based on this discussion, the following important conclusions can be drawn:

Site level risk measures can be defined by extending common unit- or source-level risk measures. Specifically, risk measures recommended for screening can be extended to the site level.

Site-level risk results can be estimated from unit- or source-level risk measures. As corollary, initiating events and hazard scenarios that are screened in based on unit- or

source-level risk measures are also screened in based on the respective site level risk measures.

For the recommended risk measures from section 6.2 and given the recommended quantitative screening, the following observations can be made

a. Events and scenarios not screened in based on FDF for any unit or source will not be screened in on FDFsite.

b. Events and scenarios not screened in based on LRF or ERF or RMF for any unit or source are for practical purposes also not screened in based on LRFsite or ERFsite or RMFsite. Deviations would result from multi-source release scenarios, for which all single-source releases are below the release threshold for those three risk measures, but the combined releases are above. Since release estimates during screening shall be adequately conservative, this possibility will not be relevant in practice.

It follows that all events and scenarios screened in for site-level risk measures will be screened in based on one unit- or source-specific screening risk measure. Consequently, no screening specific to site-level risk measures will be necessary.

Importantly, this discussion rests on the assumption that unit- or source-level PSA results adequately consider all site-level effects. Consequently, if screening for hazard scenarios (external but also internal) for an extended (i.e. in this case site-level) PSA is to be performed, PSA analysts should have access to a comprehensive site-level internal initiating events PSA Level 1 and Level 2 for all operating states and all sources.

The following comments are due regarding site-level PSA: For each screened in event and scenario, PSA analysts need to check during the development

of the probabilistic model if and which multi-unit or multi-source aspects have to be included in the PSA model. Some remarks and recommendations on that task are provided below.


IRSN/PSN-RES/SAG/2017-00019 124/142


The identification process of initiating events and hazard scenarios needs to consider shared systems and connections between units and sources for determining if they can trigger an initiating event for each single unit or source.

The issue of how to structure a site-level PSA model is still subject to research since only limited practical experience has been gained so far. Site Level PSA includes single unit PSAs that consider the impact (positive or negative) of the other site units on the accident sequences, fully integrated PSA models that addresses accident sequences that may involve any combination of reactor units and radiological sources, and hybrids of these models. Generally speaking, site-level models can be constructed from existing single unit/single source models, if the separation between the units/sources is highly effective (physical separation, no shared or interconnected systems, including operating systems, dedicated control rooms, dedicated severe accident installations and resources, etc.). Otherwise, feasibility of an integrated, site-level model will be investigated.Since external hazard scenarios are often affecting multiple units (and sources), dedicated site-level models are particularly relevant for these scenarios.

The screening approach for a multi-unit, multi-source PSA is basically similar to the screening approach for a single unit as discussed in the previous sections. The following comments and recommendations on specific aspects for site-level PSA screening are given:

Obviously, internal initiating events have to be identified for each unit and source. The scope of an internal initiating events site PSA consists of the set of initiating events for each unit/source.

Similarly, internal hazards are basically related for each individual unit. Relevant releases from one unit (or source) should be considered as a potential (external) hazards for other units/sources. The set of internal hazard scenarios for a site-level PSA consists of the set of internal hazard scenarios for each unit/source.

External hazard scenarios are basically events affecting the site. Consequently, external hazard scenarios (or combinations of external hazards with other events) should be screened in for detailed site-level modelling if they are screened in for any one unit or source.

Bounding assessment needs to consider multi-unit/multi-source aspects (cf. section 6.3). Systems and other provisions or resources providing safety functions to more than one unit or

sources should be assumed to be unavailable, if they cannot provide simultaneous demands from all connected units or sources simultaneously.

If shared or interconnected systems or other provisions providing safety functions to more than one unit can fail due to hazard impact, propagation of hazards from any one unit, or due to consequential effects from internal initiating events or internal hazard at any one unit/source or due to external hazards, these should be assumed to be unavailable for every unit for all relevant cases per default.


IRSN/PSN-RES/SAG/2017-00019 125/142


If the propagation of internal or external hazard impacts or effects of consequential failures from one unit/source to another unit/source cannot be excluded with a high degree of certainty, it should be assumed to occur for bounding assessment by default.

More realistic bounding assessments should be well justified.These recommendations should be applied for bounding assessment of each individual unit/source, irrespective of whether the development of a site-level PSA model is intended or not.

For the development of a multi-unit and multi-source (site-level) PSA model, PSA analysts have to identify the relevant events and scenarios affecting multiple units or sources at the same time.Multi-unit accident sequences may be caused by two classes of initiating events:

Common-Cause Initiators (CCIs): Initiators that simultaneously challenge all of the units at the site. CCIs include initiators that are caused by external hazards (e.g. earthquakes, severe weather).

Single-Unit Initiators (SUIs): Initiators that occur at one unit. SUIs generally include initiators caused by internal hazards such as internal events (e.g. loss of main feedwater, loss of coolant accidents), internal floods, and internal fires. SUIs may cause multi-unit accidents due to cross-unit dependencies such as shared support systems, spatial interactions (e.g., internal flood and internal fire propagation pathways), common cause failures or operator actions.

In addition, PSA analysts need to identify further dependencies between the units/sources in order to decide on the need for a (dedicated) site-level modelling.Six main dependence classifications are identified [92]:

initiating events, shared connections, identical components, proximity dependencies, human dependencies, and organizational dependencies.

Table 6-1 represents the matrix showing the classification scheme and systems with respect to PSA Level 1 considerations potentially affected [92].


IRSN/PSN-RES/SAG/2017-00019 126/142


Table 6-6 Classification matrix for multi-unit dependencies [92]

It should be noted that the examples given [92] need to be extended to PSA Level 2 considerations, i.e. dedicated severe accident management equipment, effects of radioactive releases of one unit on others, hydrogen hazard, etc.

Therefore, any comprehensive screening for an extended PSA depends on the understanding of all interdependencies between the different units/sources. Therefore, the identification of SSC and other provisions that might be relevant for multiple units/sources is an essential step. To this end, a combination of the following approaches can be recommended:

Evaluation of deterministic safety demonstrations related to multi-unit effects, Evaluation of deterministic hazard impact analyses, Dedicated failure mode and effects analysis of SSCs and other provisions on the site looking

for effects on multiple units, Evaluation of (existing) single-unit PSA models for minimum cuts sets that are (largely) the

same for more than one unit or of existing PSA modelling on multi-unit issues.This information needs to be gathered into a comprehensive list of SSC and other provisions potentially affecting multiple units/sources with regard to the six dependency classifications defined above. Based on such information, the list of events, hazards and combinations thereof can be checked for those events which potentially affect multiple units.

Every multi-unit PSA is also a multi-source PSA. A quite common multi-source PSA is a PSA for the reactor core and the spent fuel pool. The screening approach for a multi-source PSA is basically identical to the multi-unit approach described above. Therefore multi-source aspects are included in


IRSN/PSN-RES/SAG/2017-00019 127/142


the text above as applicable. Issues connected to multi-source PSA are still a field of research and there is little good practice available to the ASAMPSA_E project (apart from extension of the PSA to include the SFP). However, some remarks specific to multi-source PSA can be made with respect to the proposed screening approach:

1. The identification of initiating events and hazard scenarios for non-fuel type sources has to be performed along the lines described in sections 6.4, 6.5, 6.6, and 6.7. The identification process should use as failure criterion for determining a potential challenge to plant safety the definition of the RMF metric: If an event or scenario and its further development in plant response analysis might challenge the first boundary designed to contain the source, the event or scenario should be considered during screening.

2. Qualitative screening criteria defined in section 6.2 are fully applicable to screening for a multi-source PSA.

3. For non-fuel sources, the RMF risk measure (cf. also D30.5 [87]) is recommended for PSA Level 1.Typical sources in a NPP include radioactive waste treatment facilities, waste conditioning facilities, and on-site interim storage facilities.Analysts should be aware that RMF is intended to generalize the CDF/FDF metric. Therefore, CDF/FDF is a subset of RMF; respective CDF/FDF contributions from bounding assessment and more detailed PSA models should be treated as contributions to overall RMF results.

4. RMF is also recommended as a PSA Level 1 risk measure for capturing scenarios with (significant) mechanical damage to fuel rods without excessive fuel heat-up not captured by the FDF metric. Such scenarios are particularly relevant for some internal hazard impact scenarios like e.g. heavy load drop or accidents during on-site transport of spent fuel.

5. No specific and additional PSA Level 2 risk measures are defined for multi-source PSA screening. Releases from sources other than fuel should be converted to equivalent releases of the representative isotopes for LRF and ERF.

For sites with multiple units, scenarios with potential accidental releases representative of severe accidents in more than one unit might be of specific interest. As explained above, such release scenarios would be captured by the proposed screening approach. Nonetheless, very large (e.g. from a spent fuel pool) releases might be of specific interest in order to screen in specific scenarios for more detailed analysis, even though they have been screened out based on LRF. For this purpose, using a variant of the LERF metric, the very large release frequency (VLRF), by defining a very large release threshold, can be recommended.For the VLRF metric, the threshold set to 500 PBq I-131 (or equivalent) based on [88] p. 17 and the recommendations on LERF in D30.5 [87] should be considered. It should be noted that the radiological equivalence factor of a unit activity of Cs-137 to I-131 is 40 [88], p. 16.


IRSN/PSN-RES/SAG/2017-00019 128/142


7 CONCLUSIONS

From an industrial end-user perspective, the screening process must be effective enough to be able to identify rapidly key predominant hazards eligible to extended PSA analysis. This is paramount to enable industrial end-user to better focus resources and direct them to address issues that present the highest significance to NPP Risks and Safety. The following provide some envelope good practices for each step of the selection of extended PSA initiating events. From an industrial end-user perspective, each step must be adapted and simplified where necessary and justified.

The major steps for initiating events identificationBased on the discussion in the previous section, the following refined methodology for initiating events identification, screening and analysis for an extended PSA consists of four major steps:

1. Comprehensive identification of events and hazards and their respective combinations applicable to the plant and site. Qualitative screening criteria will be applied.

2. Initial (possibly conservative) frequency claims for events and hazards and their respective combinations applicable to the plant and the site. Quantitative screening criteria will be applied.

3. Impact analysis and bounding assessment for all applicable events and scenarios. Events are either screened out from further more detailed analysis, or are assigned to a bounding event (group), or are retained for detailed analysis.

4. Probabilistic analysis of all retained (bounding) events at the appropriate level of detail.

The main qualitative and quantitative screening criteriaThe proposed screening approach for an extended PSA recommends using the following qualitative screening criteria.

1. The event poses no challenge to safety systems.2. The event is bounded by another initiating event or the induced accident scenario is already

included in the PSA.3. The event (external hazard) has the potential to induce catastrophic levels of destruction on

the plant and regional scale offsite consequences.

The following quantitative screening criteria, relative to overall PSA results for the respective risk measures are proposed.

1. Based on current overall PSA results of the unit or source (i.e. including bounding assessment estimates) for FDF, LRF, and ERF, apply limits of 1 % of the overall PSA results for the following risk measures:


IRSN/PSN-RES/SAG/2017-00019 129/142


a. FDFevent < 1% FDFoverall if < 10-7/a(RMFevent < 1% RMFoverall if < 10-7/a)

b. LRFevent < 1% LRFoverall if < 10-8/ac. ERFevent < 1% ERFoverall if < 10-8/a

(LERFevent < 1% LERFoverall if < 10-8/a)

The whole processThe identification of internal initiating events as well as internal and external hazard scenarios needs to be as comprehensive as possible. The identification process should follow a systematic approach, use all relevant and available information on the plant and its environment, and be documented in a traceable manner. Guides like IAEA SSG-3 [4] provide solid high-level guidance on this issue.Important recommendations for the screening of internal initiating events and hazard scenarios for an extended PSA are the following:

1. Grouping of internal initiating events and hazard scenarios into representative groups plays an important role during screening.Events and scenarios should be grouped into one bounding group only if they have similar properties in terms of accident development up to fuel damage, accident progression after fuel damage up to release categories, and relevant accident mitigation measures.The grouping of events should consider uncertainties and levels of conservatism associated with frequency determination and bounding assessments. As far as practicable, grouped events and scenarios should be comparable in this regard. Importantly, the results for initiating frequency and the bounding scenario should not be distorted by combining e.g. a moderately frequent event with small uncertainty bounds with a rare event with excessive uncertainty bounds.To the extent practicable, the implications of each event or scenario with regard to several sources in one unit (e.g. reactor core and spent fuel pool) or for the site in case of a multi-unit site should be considered.Grouping of similar events and scenarios should be preferred to screening them out individually based on bounding assessment from a more detailed probabilistic assessment.

2. Bounding assessment is an essential step in the screening process for limiting the number of cases for more detailed probabilistic modelling. Bounding assessment is based on plant response analysis and hazard impact analysis. Bounding assessment used all relevant information sources on the plant and its behaviour in response to the analysed event or scenario.Claims made based on expert judgement during bounding assessment shall be demonstrably conservative. Estimations should be made consecutively on initiating event or hazard scenario frequency, conditional probabilities to FDF or RMF, and conditional probabilities to LRF and ERF.


IRSN/PSN-RES/SAG/2017-00019 130/142


Bounding assessments for internal and external hazard scenarios should make use of internal initiating event PSA models.Bounding assessment for multi-unit and multi-source PSA should make conservative failure assumptions on shared systems and the propagation of hazard effects through shared systems and other connections.

3. Screening of internal initiating events and internal hazard scenarios should be made specific for the respective unit or source. A site-model should then be developed from those events screened in for each unit or source.Screening for external hazard scenarios should be done based on the specific units or sources. If an external hazard scenario is screened in for any unit or source, it should be treated for all units or sources in the site-level PSA model by more detailed probabilistic modelling.

4. Plausible combinations of applicable hazard scenarios with other independent or correlated external or internal hazards or internal initiating events need to be screened separately, even if the individual event or hazard has already been screened out (except if it is not applicable to the site).

5. Applicability screening for hazard scenario (as well as each combination of hazards), PSA analysts should make claims on the maximum credible impact. The ASAMPSA_E project recommends that maximum credible impact is determined based on reasonable physical, geophysical, and chemical assumptions on the source of the hazard, without explicit consideration on the likelihood of such a scenario.

6. Particularly for external hazards, a partitioning of the hazard frequency curve in a small number of subgroups based on one representative hazard impact parameter of a set of such parameters will be necessary. The partitioning should consider design basis thresholds for hazard impact, design extension condition analysis assumptions on beyond design basis impacts, and impact parameter values for a potential cliff-edge to catastrophic failures.

7. Results from an analysis following the Fault Sequence Analysis method [67], [68] or similar approaches can provide valuable input for the screening of internal and external hazards and their combinations.

8. Screening for non-fuel sources should use the RMF as PSA Level 1 risk measure. The identification process of events and scenarios challenging non-fuel type sources can be based on the RMF metric definition as a potential challenge to the first barrier designed to contain the respective source.

9. Screening on the recommended release metrics LRF and ERF should be focus on aerial release. Analysts need to confirm if aqueous release or release into the ground are relevant release paths.

10. For the construction of site-level PSA models, further screening needs to be performed on those events and scenarios for which a dedicated site-level PSA will be necessary. Although this is not formally part of the screening for an extended PSA but rather an issue of how to


IRSN/PSN-RES/SAG/2017-00019 131/142


construct a multi-unit, multi-source PSA model, we have provided selected recommendations in section 6.8.

Bounding estimates on the screening risk measures (i.e. FDF, RMF, LRF, and ERF) for each event and scenario should be understood to be part of overall PSA results. Insights from bounding analysis and potential vulnerabilities of the plant discovered during the screening process should be documented and treated in the further PSA process.

The screening process is inherently iterative in order to limit the number of cases for more detailed PSA models. If the number of screened in scenarios is large it could be necessary to set priorities for the detailed PSA models and bounding could be useful for that purpose. The overall approach to the determination of initiating events for an extended PSA can be summarized for internal events PSA in Figure 7-3. The extension of the approach to hazard scenarios is depicted in Figure 7-4.

Figure 7-3 Screening approach to internal events


IRSN/PSN-RES/SAG/2017-00019 132/142


Figure 7-4 Extension of screening approach to hazard scenarios

Remarks regarding PSA quality

Systematic use of quantitative bounding assessment in the screening for an extended PSA is seen as good practice.

Explicit bounding assessment rules necessarily limit the risk of neglecting specific aspects of the event and its impact on the plant, especially regarding severe accident scenarios. PSA analysts should be encouraged to propose specific claims (at the appropriate level of conservatism and detail) and provide supporting arguments.

The quantitative bounding assessment, irrespective whether by expert judgement or by using simplified conservative assessment models, is seen as a valid probabilistic assessment approach. To that end, bounding assessments have to be traceable.

Having claims and supporting arguments significantly improves the traceability of the screening process and thus contributes to the review of the PSA, both internally as well as by regulatory bodies.

Towards detailed PSA models?

There is no sharp dividing line between progressively more refined bounding assessment and the development of a more detailed PSA model. The transition is gradual and depends, amongst others, on


IRSN/PSN-RES/SAG/2017-00019 133/142


the availability of assessment methods, available data, and the scope and level of detail of existing PSA modelling for this and similar events or scenarios. As a general guidance, probabilistic assessment leaves the area of bounding assessment, if results should be reported with uncertainty bounds.

The development of detailed PSA models may require further iteration steps for screened-in initiating events or hazard scenario groups. Depending on the risk measures specified for PSA Level 1, PSA Level 2, and possible PSA Level 2+ results, there can be additional constraints on the grouping of events and scenarios, because initially grouped scenarios have dissimilar properties with respect to these additional (aspects of) risk measures. Then, PSA analysts need to de-aggregate the respective groups. Moreover, bounding assessment results from screening have to be forwarded to overall PSA results and need to be compared with the more detailed results, based on the risk measures defined for detailed PSA investigations. The risk measure for detailed PSA investigations may address additional characteristics and aspects of accident sequences, not covered by the screening risk measures. For the comparison of detailed PSA results and bounding assessment results, the latter should be assigned to the worst applicable category. For example, if the FDF measure is differentiated by the aspect of time to fuel damage, all bounding assessments should be assigned to the subcategory representing the earliest fuel damage by default. Assigning results to a less severe subgroup should be justified by targeted or refined bounding assessment.

Detailed analysis of hazards scenarios should follow a graded approach as well. The level of effort and the level of conservatism should be commensurate to the overall contribution of the scenarios to relevant risk measures, to the knowledge available on the hazard, its frequency, and its impact on the plant and site, and to the relevance of respective PSA results to decision makers and other stakeholders. A too high level of detail and complexity could lead to PSA models that are very difficult to build and to use for practical applications.

In order to have a better understanding of the quality of the quantitative results of the screening process, PSA analysts should aggregate the bounding assessment claims on FDF, RMF, LRF, and ERF over all screened-out events. These should then be compared to the respective PSA results from more detailed analysis.

If the aggregated claims for FDF, RMF, LRF, and ERF are below 10% of the respective total results from more detailed PSA, no further refinement of a comprehensive screening process is necessary.Such a result should be seen as an indicator for a PSA which can not only support risk-informed decisions in general but also decisions with respect to the risk profile of the plant in most cases.

If the aggregated claims for FDF, RMD, LRF, and ERF are below the respective totals results from more detailed PSA, analysts should consider

a. if bounding assessments can be refined or


IRSN/PSN-RES/SAG/2017-00019 134/142


b. if certain events should be considered for a detailed PSA investigation. Single events can be prioritized by the contribution of their claims to the aggregated claims.

Such a result should be seen as an indicator for a sound PSA, which can support risk-informed decision making. However, decisions with respect to the risk profile of the plant merit explicit consideration of screened-out events.

If the aggregated claims for FDF, RMF, LRF or ERF are larger than the respective results from more detailed PSA but less than 10 times larger, analysts should at least refine bounding assessments for important events or scenarios. Alternatively, important events or scenarios should be considered for a detailed PSA investigation.Such a result should be seen as an indicator for an acceptable PSA. While the PSA can support risk-informed decision making in principle, the impact of screened-out events merits explicit consideration. Decisions on the risk profile of the plant might be significantly impacted by screened-out events.

If the aggregated claims for FDF, RMF, LRF or ERF are larger the 10 times the respective results from more detailed PSA, the screening should be refined. Important events should be considered for detailed PSA investigations.Such a result should be seen as an indicator for a screening process which should be improved. The PSA might be able to support risk-informed decision making, but lack of knowledge about the risk of the plant will reduce the validity of PSA insights and might reduce its range of applicability.

Link with the situations that should be practically eliminated (if applicable)If the concept of practical elimination is applied in the NPP safety demonstration, then the PSA analysts shall make the link between initiating events selection for extended PSA and the situations that are considered to be practically eliminated explicit. They should verify that these situations contribute negligibly to the overall risk.


IRSN/PSN-RES/SAG/2017-00019 135/142


8 LIST OF REFERENCES

[1] Technical report ASAMPSA_E/WP10/D10.2/2014-05-Synthesis of the initial survey related to PSAs End-Users needs (Report IRSN/PSN-RES-SAG/2014-00193)

[2] International Atomic Energy Agency (IAEA), “Safety of Nuclear Power Plants: Design”, Specific Safety Requirements No. SSR-2/1, January 2012

[3] International Atomic Energy Agency (IAEA), “Deterministic Safety Analysis for Nuclear Power Plants”, Specific Safety Guide No. SSG-2, December 2009

[4] International Atomic Energy Agency (IAEA), “Development and Application of Level 1 Probabilistic Safety Assessment for Nuclear Power Plants”, Specific Safety Guide No. SSG-3, April 2010

[5] Raimond, E. et al., “ASAMPSA_E: Advanced Safety Assessment Methodologies: Extended PSA, Annex I – Description of Work”, 7th Framework Program Grant Agreement No 605001, May 2013

[6] International Atomic Energy Agency (IAEA), “IAEA Safety Glossary, Terminology Used in Nuclear Safety and Radiation Protection 2007 Edition”, June 2007

[7] International Atomic Energy Agency (IAEA), “Defining Initiating Events for Purposes of Probabilistic Safety Assessment”, IAEA-TECDOC-719, September 1993

[8] International Atomic Energy Agency (IAEA), “Advanced Nuclear Plant Design Options to Cope with External Events”, IAEA-TECDOC-1487, February 2006

[9] U.S. Nuclear Regulatory Commission (NRC), “Standard Format and Content of Safety Analysis Reports for Nuclear Power Plants, LWR Edition”, Regulatory Guide 1.70, rev. 3, November 1978

[10] Office for Nuclear Regulation (ONR), “Safety Assessment Principles – 2014 edition”, Rev. 0, November 2008

[11] Western European Nuclear Regulators Association (WENRA), “WENRA Safety Reference Levels for Existing Reactors”, September 2014

[12] Western European Nuclear Regulators Association (WENRA), “WENRA Reactor Safety Reference Levels”, January 2008

[13] ASAMPSA2 Best practices guidelines for L2PSA development and applications (Vol 1 – General - Vol 2 - Best practices for the Gen II PWR, Gen II BWR L2PSAs. Extension to Gen III reactors - Vol 3 – Extension to Gen IV reactors) - IRSN/ PSN-RES/SAG/2013-00177 – www.asampsa.eu or www.asampsa2.eu, April 2013.

[14] Wikimedia Foundation, “Risk metric”, version 7 December 2014, http://en.wikipedia.org/wiki/Risk_metric

[15] Holmberg, J., M. Knochenhauer, “Probabilistic Safety Goals. Phase 1 – Status and Experience in Sweden and Finland, NKS-152, March 2007

[16] Bundesministerium für Umwelt, Naturschutz und Reaktorsicherheit, “Sicherheitsanforderungen an Kernkraftwerke” from 20 November 2012, BAnz AT 24.01.2013 B3


IRSN/PSN-RES/SAG/2017-00019 136/142

http://en.wikipedia.org/wiki/Risk_metric

http://www.asampsa2.eu/

http://www.asampsa.eu/


[17] United States Coast Guard, “Risk-based Decision-making Guidelines, Volume 3 Procedure for Assessing Risks, Applying Risk Assessment Tools, Chapter 10 – Hazard and Operability (HAZOP) Analysis”, December 2000

[18] International Electrotechnical Commission (IEC), “Analysis Techniques for System Reliability – Procedure for Failure Mode and Effects Analysis (FMEA)”, IEC 60812, 2nd ed., 2006

[19] International Atomic Energy Agency (IAEA), “External Human Induced Events in Site Evaluation for Nuclear Power Plants”, Safety Guide No. NS-G-3.1, May 2002

[20] International Atomic Energy Agency (IAEA), “Site Evaluation for Nuclear Installations”, Safety Requirements No. NS-R-3, November 2003

[21] International Atomic Energy Agency (IAEA), “Evaluation of Seismic Safety for Existing Nuclear Installations”, Safety Guide No. NS-G-2.3, May 2009

[22] International Atomic Energy Agency (IAEA), “External Events Excluding Earthquakes in the Design of Nuclear Power Plants”, Safety Guide No. NS-G-1.5, November 2003

[23] International Atomic Energy Agency (IAEA), “Protection against Internal Fires and Explosions in the Design of Nuclear Power Plants”, Safety Guide No. NS-G-1.7, September 2004

[24] International Atomic Energy Agency (IAEA), “Protection against Internal Hazards other than Fires and Explosions in the Design of Nuclear Power Plants”, Safety Guide No. NS-G-1.11, September 2004

[25] International Atomic Energy Agency (IAEA), “Seismic Hazards in Site Evaluation for Nuclear Installations”, Specific Safety Guide No. SSG-9, August 2010

[26] International Atomic Energy Agency (IAEA), “Meteorological and Hydrological Hazards in Site Evaluation for Nuclear Installations”, Specific Safety Guide No. SSG-18, November 2011

[27] International Atomic Energy Agency (IAEA), “Volcanic Hazards in Site Evaluation for Nuclear Installations”, Specific Safety Guide No. SSG-21, October 2012

[28] International Atomic Energy Agency (IAEA), “Development and Application of Level 2 Probabilistic Safety Assessment for Nuclear Power Plants”, Specific Safety Guide No. SSG-4, May 2010

[29] “Decree on safety documentation”, No. 318/2002, UJD SR, Bratislava, April 2002[30] “Application of PSA methodology in regulatory process”, UJD SR guideline. BNS I.4.2/1999, UJD

SR, Bratislava, 2000 (in Slovak)[31] “Regulation on operational safety of radiation and nuclear facilities (JV9)”, No. 85/2009 of

30.10.2009[32] “Second Periodic Safety Review of NEK: Probabilistic Safety Analyses”, PSR2-NEK-2.2, IJS-DP-

10851, Ljubljana, 2013[33] The American Society of Mechanical Engineers, “Standard for probabilistic risk assessment for

nuclear power plant applications”, ASME RA-S-2002, 2002 with addenda ASME RA-Sa-2003 and ASME RA-Sb-2005

[34] ANSI/ANS-58.21-2007 "American National Standard for External Event PRA Methodology" (revision of ANS-58.21-2003), American Nuclear Society, La Grange Park, USA, 2007


IRSN/PSN-RES/SAG/2017-00019 137/142


[35] WENRA, “Safety of New NPP Designs, Study by Reactor Harmonization Working Group RHWG”, March 2013

[36] ONR, “Probabilistic Safety Analysis”, Nuclear Safety Technical Assessment Guide NS-TAST-GD-030 Revision 4, June 2013

[37] Bundesministerium für Umwelt, Naturschutz und Reaktorsicherheit, “Sicherheitsanforderungen an Kernkraftwerke vom 22. November 2012”, BAnz AT 24 January 2013 B3

[38] Slovenian Nuclear Safety Administration (SNSA), “Pravilnik o zagotavljanju varnosti po začetku obratovanja sevalnih ali jedrskih objektov (JV9)”, Osnutek, (in English: Rules on operational safety of radiation or nuclear facilities (JV9), http://www.ursjv.gov.si/fileadmin/ujv.gov.si/pageuploads/si/Zakonodaja/SlovenskiPredpisi/osnutki__predlogi_predpisov/JV9_osnutek.pdf

[39] ASN, “Développement et Utilisation des Etudes Probabilistes de Sûreté”, RFS No. 2002-01, December 2002

[40] ENSI, “Probabilistic Safety Analysis (PSA): Quality and Scope”, ENSI-A05/e, March 2009 [41] STUK, “Probabilistic Risk Assessment and Risk Management of a Nuclear Power Plant”, YVL A.7,

November 2013[42] STUK “Deterministic Safety Analyses for a Nuclear Power Plant”, YVL B.3, November 2013[43] CNSC, “Deterministic Safety Analysis”, REGDOC-2.4.1, May 2014[44] CNSC, “Probabilistic Safety Assessment (PSA) for Nuclear Power Plants”, REGDOC-2.4.2, May

2014[45] International Atomic Energy Agency (IAEA), “Fundamental Safety Principles”, SF-1, November

2006[46] CNCAN, NSN-08, “Normă privind evaluările probabilistice de securitate nucleară pentru

centralele nuclearoelectrice”, 2006[47] CNCAN, NSN-02, “Norma de securitate nucleară privind proiectarea şi construcţia centralelor

nuclearoelectrice”, 2010[48] “Romania National Report for the 2nd Extraordinary Meeting under the Convention on Nuclear

Safety”, May 2012[49] CNSC, GD-310, “Guidance on Safety Analysis for Nuclear Power Plants”, February 2008[50] CNSC, RD/GD-369, “Licence Application Guide Licence to Construct a Nuclear Power Plant”,

August 2011[51] CNSC, GD-337, Guidance for the Design of New Nuclear Power Plants, September 2012[52] CNSC, “Canadian National Report for the Second Extraordinary Meeting of the CNS”, May 2012[53] CNSC, RD–346, “Site Evaluation for New Nuclear Power Plants”, November 2008[54] American Society of Mechanical Engineers, ASME/ANS RA-S-2008: “Standard for Level 1/Large

Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications," (2008).

[55] U.S. Nuclear Regulatory Commission, ”Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants, LWR Edition”, Report NUREG-75/087, (1975).


IRSN/PSN-RES/SAG/2017-00019 138/142


[56] American Society of Mechanical Engineers (ASME), “Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications”, AMSE/ANS RA-Sa-2009, 2009

[57] Slovenian Nuclear Safety Administration (SNSA), Osnutek, “Pravilnik o dejavnikih sevalne in jedrske varnosti (JV5)”, (in English: Rules on radiation and nuclear safety factors (JV5), http://www.ursjv.gov.si/fileadmin/ujv.gov.si/pageuploads/si/Zakonodaja/SlovenskiPredpisi/osnutki__predlogi_predpisov/JV5_osnutek.pdf

[58] NEA/CNRA/R(2014)9, July 2014, “Probabilistic Safety Assessment, (PSA) of Natural External, Hazards Including Earthquakes, Workshop Proceedings”, Prague, Czech Republic, 17-20 June 2013

[59] IAEA, “Evaluation of Seismic Hazards for Nuclear Power Plants”, Safety Standards Series No. NS-G-3.3, Vienna 2003

[60] International Atomic Energy Agency (IAEA), Safety Series No. 50-P-7, “Treatment of External Hazards in Probabilistic Safety Assessment for Nuclear Power Plants”, 1995

[61] International Atomic Energy Agency (IAEA), 50-SG-S11A, “Extreme meteorological events in nuclear power plant siting, excluding tropical cyclones”, IAEA 1981

[62] International Atomic Energy Agency (IAEA) Safety Standards, Safety Aspects in Siting for Nuclear Installations, DS433, draft 2013

[63] DOE Standard DOE-STD-3014-96, “Accident Analysis for Aircraft Crash into Hazardous Facilities”, U.S. Department of Energy, Washington, DC, October 1996

[64] WENRA RHWG, “Guidance Document Issue T: Natural Hazards Head Document”, Guideline for the WENRA-RHWG Safety Reference Levels for Natural hazards introduced as lesson learned from TEPCO Fukushima Daiichi accident, April 2015

[65] EPRI 1022997, “Identification of External Hazards for Analysis in Probabilistic Risk Assessment”, Technical Update, December 2011

[66] BN-JB-1.7, Selection and evaluation of the accident conditions and risks for nuclear power plants, Safety instructions, SÚJB (National regulatory body), December 2010

[67] Kuzmina, I., A. Lyubarskiy, M. El-Shanawany, “An Approach for Systematic Review of the Nuclear Facilities Protection against the Impact of Extreme Events”, Nordic PSA Conference, Castle Meeting 2011, September 2011

[68] Kuzmina, I., A. Lyubarski, P. Hughes, J. Klügel, T. Koslik, V. Serebrjakov, “Fault Sequence Analysis Method to Assist in Evaluation of the Impact of Extreme Events on NPP“, Nordic PSA Conference – Castle Meeting 2013, April 2013

[69] “Regulation on ensuring the safety of NPPs”, Published SG No. 66 of 30 July 2004, amended SG No. 46 of 12 June 2007, amended SG No. 53 of 10 June 2008, and amended SG No. 5 of 19 January 2010 (in Bulgarian)

[70] BNRA, “Safety Guide, Probabilistic Safety Analysis of Nuclear Power Plants”, PP-7/2010 (in Bulgarian)


IRSN/PSN-RES/SAG/2017-00019 139/142


[71] Knochenhauer, M., P. Louko, “Guidance for External Event Analysis”, SKI Report 02-27, February 2013

[72] International Atomic Energy Agency (IAEA), “External Man-Induced Events in Relation to Nuclear Power Plants”, Safety Series 50-SG-D5, 1996

[73] International Atomic Energy Agency (IAEA), “Meteorological Events in Site Evaluation of Nuclear Power Plants”, Safety Guide NS-G-3.4, May 2003

[74] Kimura, C. Y., R. J. Budnitz, “Evaluation of External Hazards to Nuclear Power Plants in the United States”, December 1987, NUREG/CR-5042.

[75] Chen, J. T. et al., “Procedural and Submittal Guidance for the Individual Plant Examination of External Events (IPEEE) for Severe Accident Vulnerabilities”, US NRC, NUREG-1407, June 1991

[76] BMUB, “Sicherheitsanforderungen an Kernkraftwerke vom 22 November 2012”, version of 3 March 2015, BAnz AT 30.03.2015 B2

[77] BMUB, “Interpretationen zu den Sicherheitsanforderungen an KKW vom 22. November 2012“, version of 3 March 2015, BAnz AT 30.03.2015 B3

[78] Bundesamt für Strahlenschutz (BfS), “Safety Review for Nuclear Power Plants pursuant to §19a of the Atomic Energy Act – Guide Probabilistic Safety Analysis” of 30 August 2005

[79] Facharbeitskreis (FAK) Probabilistische Sicherheitsanalyse für Kernkraftwerke, “Methoden zur probabilistischen Sicherheitsanalyse für Kernkraftwerke“, Revision: August 2005, BfS-SCHR-37/05, October 2005

[80] Methoden und Daten zur probabilistischen Sicherheitsanalyse für Kernkraftwerke“, Mai 2015, BfS-SCHR-61/16

[81] Kerntechnischer Ausschuss (KTA),“Design of Nuclear Power Plants against Seismic Events Part 1: Principles“, KTA 2201.1, November 2011

[82] Kerntechnischer Ausschuss (KTA),“Flood Protection for Nuclear Power Plants“, KTA 2207, November 2004

[83] Kerntechnischer Ausschuss (KTA),“Design of Nuclear Power Plants against Damaging Effects from Lightning", KTA 2206, November 2009

[84] Facharbeitskreis (FAK) Probabilistische Sicherheitsanalyse für Kernkraftwerke, “Daten zur probabilistischen Sicherheitsanalyse für Kernkraftwerke“, Revision: August 2005, BfS-SCHR-38/05, October 2005

[85] IAEA, “Treatment of Internal Fires in Probabilistic Safety Assessment for Nuclear Power Plants”, Safety Reports Series No. 10, September 1998

[86] ASAMPSA_E, “Lessons of the Fukushima Dai-ichi accident for PSA”, ASAMPSA_E D30.2D30.2/2017-32. IRSN-PSN-RES/SAG/2017-00021

[87] ASAMPSA_E, “Risk Metrics and Measures for an Extended PSA”, ASAMPSA_E/WP30/D30.7/2017-31 volume 3, IRSN/PSN-RES/SAG/2017-00019

[88] International Atomic Energy Agency (IAEA), “INES The International Nuclear and Radiological Event Scale”, User’s Manual, 2008 Edition, March 2013


IRSN/PSN-RES/SAG/2017-00019 140/142


[89] CNCAN, « Normele de securitate nucleară privind protecţia instalaţiilor nucleare împotriva evenimentelor externe de origine naturala », 15.01. 2015

[90] Fleming K. N., “Motivation and Challenges for Multi-Unit PRAs”, ANS PSA 2013 International Topical Meeting on Probabilistic Safety Assessment and Analysis Columbia, SC, September 22-26, 2013

[91] Stutzke, Martin A., “Scoping Estimates of Multiunit accident Risk”, Probabilistic Safety Assessment and Management PSAM 12, June 2014, Honolulu, Hawaii

[92] Modarres M., S. Schroer, “An Event Classification Schema for Evaluating Site Risk in a Multi-Unit Nuclear Power Plant Probabilistic Risk Assessment”, ANS PSA 2013 International Topical Meeting on Probabilistic Safety Assessment and Analysis, Columbia, SC, September 22-26, 2013

[93] International Atomic Energy Agency (IAEA), “Safety Assessment for Facilities and Activities”, General Safety Requirements Part 4 No GSR Part 4, May 2009

[94] Decker, K., H. Brinkmann, “List of External Hazards to be Considered in Extended PSA”, ASAMPSA_E D21.2, December 2014

[95] International Workshop on Multi-unit Probabilistic Safety Assessment (PSA), Ottawa, ONT (Canada), November 17-20, 2014

[96] ASAMPSA_E, “Summary report of already existing guidance on the implementation of External Hazards in extended Level 1 PSA”, ASAMPSA_E/WP22/D22.1/2015-11, IRSN-PSN-RES-SAG-2015-00235, August 2015

[97] Atomic Energy Society of Japan, “Implementation Standard Concerning the Risk Assessment Methodology Selection for the External Hazards” (in Japanese), AESJ-SC-RK008, 2014

[98] T. Kuramoto, A. Yamaguchi, et.al, “Development of Implementation Standard Concerning the Risk Evaluation Methodology Selection for the External Hazards”, PSAM12, Honolulu, Hawaii, June 2014

[99] ASAMPSA_E, “Report on external hazards with high amplitude that have affected NPP in operation (in Europe or in other countries)”, ASAMPSA_E/WP10/D10.3/2016-16, IRSN PSN/RES/SAG/ 2016-00031, January 2016

[100] Türschmann, M., M. Röwekamp, S. Babst, “Concept for Comprehensive Hazards PSA and Fire PSA Application”, Progress in Nuclear Energy, Volume 84, pp. 36–40, 2015.

[101] NUREG-2122, “Glossary of Risk-Related Terms in Support of Risk-Informed Decision making,” U.S. Nuclear Regulatory Commission, Washington, DC, May 2013.

[102] NUREG-1855, “Guidance on the Treatment of Uncertainties Associated with PRAs in Risk-Informed Decision making”, U.S. Nuclear Regulatory Commission, Washington, DC, March 2013.

[103] RG 1.200, “An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities”, Revision 2, U.S. Nuclear Regulatory Commission, Washington, DC, March 2009.

[104] Mitsubishi Heavy Industries, Ltd., Design Control Document for the U.S. APWR Mitsubishi Heavy Industries Ltd., MUAP-DC001, Chapter 15, Rev. 1, Aug. 2008.


IRSN/PSN-RES/SAG/2017-00019 141/142


[105] International Atomic Energy Agency (IAEA), “Best Practices in Identifying, Reporting and Screening Operating Experience at Nuclear Power Plants”, IAEA TECDOC No. 1581, 2008.

[106] US Nuclear Regulatory Commission, “PRA Procedure Guide: A Guide to the performance of Probabilistic Risk Assessments for Nuclear Power Plants », NUREG/CR-2300, 1983.

[107] I-boken, “Initiating Events at Nordic Nuclear Power Plants”, version 2, 1994. SKI Report 94:12, ISSN 1104-1374, ISRN SKI-94/1-SE.

[108] Hellstroem, Per, Comparison of SKIFS 2004:1 and Tillsynshandbok PSA against the ASME PRA Standard and European requirements on PSA, Swedish Nuclear Power Inspectorate, Stockholm (Sweden)

[109] ASAMPSA_E, “The link between the Defence-in-Depth Concept and Extended PSA”, Technical report ASAMPSA_E/WP30/D30.7/2017-31 volume 4, IRSN PSN-RES/SAG/2017-00019.


IRSN/PSN-RES/SAG/2017-00019 142/142

rar - accueil | asampsa easampsa.eu/wp-content/uploads/...wp30...selection.docx · web viewthe...

Documents